Merge pull request #3396 from akhilmhdh/feat/msg-crct

Updated error message on update org for saml/oidc enforcement

.github/workflows/release_build_infisical_cli.yml

@@ -145,3 +145,9 @@ jobs:
           INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
           AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+      - name: Invalidate Cloudfront cache
+        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}

README.md

@@ -50,7 +50,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Dashboard](https://infisical.com/docs/documentation/platform/project)**: Manage secrets across projects and environments (e.g. development, production, etc.) through a user-friendly interface.
 - **[Native Integrations](https://infisical.com/docs/integrations/overview)**: Sync secrets to platforms like [GitHub](https://infisical.com/docs/integrations/cicd/githubactions), [Vercel](https://infisical.com/docs/integrations/cloud/vercel), [AWS](https://infisical.com/docs/integrations/cloud/aws-secret-manager), and use tools like [Terraform](https://infisical.com/docs/integrations/frameworks/terraform), [Ansible](https://infisical.com/docs/integrations/platforms/ansible), and more.
 - **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery](https://infisical.com/docs/documentation/platform/pit-recovery)**: Keep track of every secret and project state; roll back when needed.
-- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
+- **[Secret Rotation](https://infisical.com/docs/documentation/platform/secret-rotation/overview)**: Rotate secrets at regular intervals for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/secret-rotation/postgres-credentials), [MySQL](https://infisical.com/docs/documentation/platform/secret-rotation/mysql), [AWS IAM](https://infisical.com/docs/documentation/platform/secret-rotation/aws-iam), and more.
 - **[Dynamic Secrets](https://infisical.com/docs/documentation/platform/dynamic-secrets/overview)**: Generate ephemeral secrets on-demand for services like [PostgreSQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/postgresql), [MySQL](https://infisical.com/docs/documentation/platform/dynamic-secrets/mysql), [RabbitMQ](https://infisical.com/docs/documentation/platform/dynamic-secrets/rabbit-mq), and more.
 - **[Secret Scanning and Leak Prevention](https://infisical.com/docs/cli/scanning-overview)**: Prevent secrets from leaking to git.
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.

backend/src/@types/fastify.d.ts

@@ -136,7 +136,7 @@ declare module "fastify" {
     rateLimits: RateLimitConfiguration;
     // passport data
     passportUser: {
-      isUserCompleted: string;
+      isUserCompleted: boolean;
       providerAuthToken: string;
     };
     kmipUser: {

backend/src/db/migrations/20250414203701_add-notification-flag-service-token.ts

@@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
+      t.boolean("expiryNotificationSent").defaultTo(false);
+    });
+
+    // Update only tokens where expiresAt is before current time
+    await knex(TableName.ServiceToken)
+      .whereRaw(`${TableName.ServiceToken}."expiresAt" < NOW()`)
+      .whereNotNull("expiresAt")
+      .update({ expiryNotificationSent: true });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.ServiceToken, "expiryNotificationSent");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.ServiceToken, (t) => {
+      t.dropColumn("expiryNotificationSent");
+    });
+  }
+}

backend/src/db/migrations/20250414234624_add-project-delete-protection.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.boolean("hasDeleteProtection").defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.Project, "hasDeleteProtection");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("hasDeleteProtection");
+    });
+  }
+}

backend/src/db/migrations/20250416113437_add-oidc-jwt-signature-algorithm.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm"))) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.string("jwtSignatureAlgorithm").defaultTo(OIDCJWTSignatureAlgorithm.RS256).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "jwtSignatureAlgorithm")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropColumn("jwtSignatureAlgorithm");
+    });
+  }
+}

backend/src/db/migrations/20250416145120_add-enable-bypass-org-auth-flag.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled"))) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.boolean("bypassOrgAuthEnabled").defaultTo(false).notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Organization, "bypassOrgAuthEnabled")) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.dropColumn("bypassOrgAuthEnabled");
+    });
+  }
+}

backend/src/db/schemas/oidc-configs.ts

@@ -30,9 +30,10 @@ export const OidcConfigsSchema = z.object({
   updatedAt: z.date(),
   orgId: z.string().uuid(),
   lastUsed: z.date().nullable().optional(),
-  manageGroupMemberships: z.boolean().default(false),
   encryptedOidcClientId: zodBuffer,
-  encryptedOidcClientSecret: zodBuffer
+  encryptedOidcClientSecret: zodBuffer,
+  manageGroupMemberships: z.boolean().default(false),
+  jwtSignatureAlgorithm: z.string().default("RS256")
 });
 
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;

backend/src/db/schemas/organizations.ts

@@ -26,7 +26,8 @@ export const OrganizationsSchema = z.object({
   allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional(),
   shouldUseNewPrivilegeSystem: z.boolean().default(true),
   privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
-  privilegeUpgradeInitiatedAt: z.date().nullable().optional()
+  privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
+  bypassOrgAuthEnabled: z.boolean().default(false)
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/projects.ts

@@ -26,7 +26,8 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
   type: z.string(),
-  enforceCapitalization: z.boolean().default(false)
+  enforceCapitalization: z.boolean().default(false),
+  hasDeleteProtection: z.boolean().default(true).nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/service-tokens.ts

@@ -21,7 +21,8 @@ export const ServiceTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   createdBy: z.string(),
-  projectId: z.string()
+  projectId: z.string(),
+  expiryNotificationSent: z.boolean().default(false).nullable().optional()
 });
 
 export type TServiceTokens = z.infer<typeof ServiceTokensSchema>;

backend/src/ee/routes/v1/oidc-router.ts

@@ -12,7 +12,7 @@ import RedisStore from "connect-redis";
 import { z } from "zod";
 
 import { OidcConfigsSchema } from "@app/db/schemas";
-import { OIDCConfigurationType } from "@app/ee/services/oidc/oidc-config-types";
+import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -30,7 +30,8 @@ const SanitizedOidcConfigSchema = OidcConfigsSchema.pick({
   orgId: true,
   isActive: true,
   allowedEmailDomains: true,
-  manageGroupMemberships: true
+  manageGroupMemberships: true,
+  jwtSignatureAlgorithm: true
 });
 
 export const registerOidcRouter = async (server: FastifyZodProvider) => {
@@ -170,7 +171,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           isActive: true,
           orgId: true,
           allowedEmailDomains: true,
-          manageGroupMemberships: true
+          manageGroupMemberships: true,
+          jwtSignatureAlgorithm: true
         }).extend({
           clientId: z.string(),
           clientSecret: z.string()
@@ -225,7 +227,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           clientId: z.string().trim(),
           clientSecret: z.string().trim(),
           isActive: z.boolean(),
-          manageGroupMemberships: z.boolean().optional()
+          manageGroupMemberships: z.boolean().optional(),
+          jwtSignatureAlgorithm: z.nativeEnum(OIDCJWTSignatureAlgorithm).optional()
         })
         .partial()
         .merge(z.object({ orgSlug: z.string() })),
@@ -292,7 +295,11 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           clientSecret: z.string().trim(),
           isActive: z.boolean(),
           orgSlug: z.string().trim(),
-          manageGroupMemberships: z.boolean().optional().default(false)
+          manageGroupMemberships: z.boolean().optional().default(false),
+          jwtSignatureAlgorithm: z
+            .nativeEnum(OIDCJWTSignatureAlgorithm)
+            .optional()
+            .default(OIDCJWTSignatureAlgorithm.RS256)
         })
         .superRefine((data, ctx) => {
           if (data.configurationType === OIDCConfigurationType.CUSTOM) {

backend/src/ee/routes/v1/saml-router.ts

@@ -223,12 +223,18 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
         samlConfigId: z.string().trim()
       })
     },
-    preValidation: passport.authenticate("saml", {
-      session: false,
-      failureFlash: true,
-      failureRedirect: "/login/provider/error"
-      // this is due to zod type difference
-    }) as any,
+    preValidation: passport.authenticate(
+      "saml",
+      {
+        session: false
+      },
+      async (req, res, err, user) => {
+        if (err) {
+          throw new BadRequestError({ message: `Saml authentication failed. ${err?.message}`, error: err });
+        }
+        req.passportUser = user as { isUserCompleted: boolean; providerAuthToken: string };
+      }
+    ) as any, // this is due to zod type difference
     handler: (req, res) => {
       if (req.passportUser.isUserCompleted) {
         return res.redirect(

backend/src/ee/routes/v2/secret-rotation-v2-routers/auth0-client-secret-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  Auth0ClientSecretRotationGeneratedCredentialsSchema,
+  Auth0ClientSecretRotationSchema,
+  CreateAuth0ClientSecretRotationSchema,
+  UpdateAuth0ClientSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerAuth0ClientSecretRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.Auth0ClientSecret,
+    server,
+    responseSchema: Auth0ClientSecretRotationSchema,
+    createSchema: CreateAuth0ClientSecretRotationSchema,
+    updateSchema: UpdateAuth0ClientSecretRotationSchema,
+    generatedCredentialsSchema: Auth0ClientSecretRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -1,5 +1,6 @@
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 
+import { registerAuth0ClientSecretRotationRouter } from "./auth0-client-secret-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
@@ -10,5 +11,6 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
   (server: FastifyZodProvider) => Promise<void>
 > = {
   [SecretRotation.PostgresCredentials]: registerPostgresCredentialsRotationRouter,
-  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter
+  [SecretRotation.MsSqlCredentials]: registerMsSqlCredentialsRotationRouter,
+  [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter
 };

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { Auth0ClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
@@ -11,7 +12,8 @@ import { AuthMode } from "@app/services/auth/auth-type";
 
 const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationListItemSchema,
-  MsSqlCredentialsRotationListItemSchema
+  MsSqlCredentialsRotationListItemSchema,
+  Auth0ClientSecretRotationListItemSchema
 ]);
 
 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/services/oidc/oidc-config-dal.ts

@@ -1,6 +1,5 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 
 export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
@@ -8,22 +7,5 @@ export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
 export const oidcConfigDALFactory = (db: TDbClient) => {
   const oidcCfgOrm = ormify(db, TableName.OidcConfig);
 
-  const findEnforceableOidcCfg = async (orgId: string) => {
-    try {
-      const oidcCfg = await db
-        .replicaNode()(TableName.OidcConfig)
-        .where({
-          orgId,
-          isActive: true
-        })
-        .whereNotNull("lastUsed")
-        .first();
-
-      return oidcCfg;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find org by id" });
-    }
-  };
-
-  return { ...oidcCfgOrm, findEnforceableOidcCfg };
+  return oidcCfgOrm;
 };

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -165,7 +165,8 @@ export const oidcConfigServiceFactory = ({
       allowedEmailDomains: oidcCfg.allowedEmailDomains,
       clientId,
       clientSecret,
-      manageGroupMemberships: oidcCfg.manageGroupMemberships
+      manageGroupMemberships: oidcCfg.manageGroupMemberships,
+      jwtSignatureAlgorithm: oidcCfg.jwtSignatureAlgorithm
     };
   };
 
@@ -481,7 +482,8 @@ export const oidcConfigServiceFactory = ({
     userinfoEndpoint,
     clientId,
     clientSecret,
-    manageGroupMemberships
+    manageGroupMemberships,
+    jwtSignatureAlgorithm
   }: TUpdateOidcCfgDTO) => {
     const org = await orgDAL.findOne({
       slug: orgSlug
@@ -536,7 +538,8 @@ export const oidcConfigServiceFactory = ({
       jwksUri,
       isActive,
       lastUsed: null,
-      manageGroupMemberships
+      manageGroupMemberships,
+      jwtSignatureAlgorithm
     };
 
     if (clientId !== undefined) {
@@ -569,7 +572,8 @@ export const oidcConfigServiceFactory = ({
     userinfoEndpoint,
     clientId,
     clientSecret,
-    manageGroupMemberships
+    manageGroupMemberships,
+    jwtSignatureAlgorithm
   }: TCreateOidcCfgDTO) => {
     const org = await orgDAL.findOne({
       slug: orgSlug
@@ -613,6 +617,7 @@ export const oidcConfigServiceFactory = ({
       userinfoEndpoint,
       orgId: org.id,
       manageGroupMemberships,
+      jwtSignatureAlgorithm,
       encryptedOidcClientId: encryptor({ plainText: Buffer.from(clientId) }).cipherTextBlob,
       encryptedOidcClientSecret: encryptor({ plainText: Buffer.from(clientSecret) }).cipherTextBlob
     });
@@ -676,7 +681,8 @@ export const oidcConfigServiceFactory = ({
     const client = new issuer.Client({
       client_id: oidcCfg.clientId,
       client_secret: oidcCfg.clientSecret,
-      redirect_uris: [`${appCfg.SITE_URL}/api/v1/sso/oidc/callback`]
+      redirect_uris: [`${appCfg.SITE_URL}/api/v1/sso/oidc/callback`],
+      id_token_signed_response_alg: oidcCfg.jwtSignatureAlgorithm
     });
 
     const strategy = new OpenIdStrategy(

backend/src/ee/services/oidc/oidc-config-types.ts

@@ -5,6 +5,12 @@ export enum OIDCConfigurationType {
   DISCOVERY_URL = "discoveryURL"
 }
 
+export enum OIDCJWTSignatureAlgorithm {
+  RS256 = "RS256",
+  HS256 = "HS256",
+  RS512 = "RS512"
+}
+
 export type TOidcLoginDTO = {
   externalId: string;
   email: string;
@@ -40,6 +46,7 @@ export type TCreateOidcCfgDTO = {
   isActive: boolean;
   orgSlug: string;
   manageGroupMemberships: boolean;
+  jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 } & TGenericPermission;
 
 export type TUpdateOidcCfgDTO = Partial<{
@@ -56,5 +63,6 @@ export type TUpdateOidcCfgDTO = Partial<{
   isActive: boolean;
   orgSlug: string;
   manageGroupMemberships: boolean;
+  jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
 }> &
   TGenericPermission;

backend/src/ee/services/permission/permission-dal.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { TDbClient } from "@app/db";
 import {
   IdentityProjectMembershipRoleSchema,
+  OrgMembershipRole,
   OrgMembershipsSchema,
   TableName,
   TProjectRoles,
@@ -53,6 +54,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
           db.ref("permissions").withSchema(TableName.OrgRoles),
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
           db.ref("groupId").withSchema("userGroups"),
           db.ref("groupOrgId").withSchema("userGroups"),
           db.ref("groupName").withSchema("userGroups"),
@@ -71,6 +73,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           OrgMembershipsSchema.extend({
             permissions: z.unknown(),
             orgAuthEnforced: z.boolean().optional().nullable(),
+            bypassOrgAuthEnabled: z.boolean(),
             customRoleSlug: z.string().optional().nullable(),
             shouldUseNewPrivilegeSystem: z.boolean()
           }).parse(el),
@@ -571,6 +574,11 @@ export const permissionDALFactory = (db: TDbClient) => {
         })
         .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
         .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
+        .join(TableName.OrgMembership, (qb) => {
+          void qb
+            .on(`${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+            .andOn(`${TableName.OrgMembership}.orgId`, `${TableName.Organization}.id`);
+        })
         .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
           void queryBuilder
             .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
@@ -670,6 +678,8 @@ export const permissionDALFactory = (db: TDbClient) => {
           db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
           db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("bypassOrgAuthEnabled").withSchema(TableName.Organization).as("bypassOrgAuthEnabled"),
+          db.ref("role").withSchema(TableName.OrgMembership).as("orgRole"),
           db.ref("orgId").withSchema(TableName.Project),
           db.ref("type").withSchema(TableName.Project).as("projectType"),
           db.ref("id").withSchema(TableName.Project).as("projectId"),
@@ -683,6 +693,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           orgId,
           username,
           orgAuthEnforced,
+          orgRole,
           membershipId,
           groupMembershipId,
           membershipCreatedAt,
@@ -690,10 +701,12 @@ export const permissionDALFactory = (db: TDbClient) => {
           groupMembershipUpdatedAt,
           membershipUpdatedAt,
           projectType,
-          shouldUseNewPrivilegeSystem
+          shouldUseNewPrivilegeSystem,
+          bypassOrgAuthEnabled
         }) => ({
           orgId,
           orgAuthEnforced,
+          orgRole: orgRole as OrgMembershipRole,
           userId,
           projectId,
           username,
@@ -701,7 +714,8 @@ export const permissionDALFactory = (db: TDbClient) => {
           id: membershipId || groupMembershipId,
           createdAt: membershipCreatedAt || groupMembershipCreatedAt,
           updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt,
-          shouldUseNewPrivilegeSystem
+          shouldUseNewPrivilegeSystem,
+          bypassOrgAuthEnabled
         }),
         childrenMapper: [
           {

backend/src/ee/services/permission/permission-fns.ts

@@ -2,7 +2,7 @@
 import { ForbiddenError, MongoAbility, PureAbility, subject } from "@casl/ability";
 import { z } from "zod";
 
-import { TOrganizations } from "@app/db/schemas";
+import { OrgMembershipRole, TOrganizations } from "@app/db/schemas";
 import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
@@ -118,11 +118,20 @@ function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
   ].includes(actorAuthMethod);
 }
 
-function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrganizations["authEnforced"]) {
+function validateOrgSSO(
+  actorAuthMethod: ActorAuthMethod,
+  isOrgSsoEnforced: TOrganizations["authEnforced"],
+  isOrgSsoBypassEnabled: TOrganizations["bypassOrgAuthEnabled"],
+  orgRole: OrgMembershipRole
+) {
   if (actorAuthMethod === undefined) {
     throw new UnauthorizedError({ name: "No auth method defined" });
   }
 
+  if (isOrgSsoEnforced && isOrgSsoBypassEnabled && orgRole === OrgMembershipRole.Admin) {
+    return;
+  }
+
   if (
     isOrgSsoEnforced &&
     actorAuthMethod !== null &&

backend/src/ee/services/permission/permission-service.ts

@@ -139,7 +139,12 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
     }
 
-    validateOrgSSO(authMethod, membership.orgAuthEnforced);
+    validateOrgSSO(
+      authMethod,
+      membership.orgAuthEnforced,
+      membership.bypassOrgAuthEnabled,
+      membership.role as OrgMembershipRole
+    );
 
     const finalPolicyRoles = [{ role: membership.role, permissions: membership.permissions }].concat(
       membership?.groups?.map(({ role, customRolePermission }) => ({
@@ -226,7 +231,12 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
     }
 
-    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);
+    validateOrgSSO(
+      authMethod,
+      userProjectPermission.orgAuthEnforced,
+      userProjectPermission.bypassOrgAuthEnabled,
+      userProjectPermission.orgRole
+    );
 
     if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
       throw new BadRequestError({

backend/src/ee/services/saml-config/saml-config-dal.ts

@@ -1,6 +1,5 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 
 export type TSamlConfigDALFactory = ReturnType<typeof samlConfigDALFactory>;
@@ -8,25 +7,5 @@ export type TSamlConfigDALFactory = ReturnType<typeof samlConfigDALFactory>;
 export const samlConfigDALFactory = (db: TDbClient) => {
   const samlCfgOrm = ormify(db, TableName.SamlConfig);
 
-  const findEnforceableSamlCfg = async (orgId: string) => {
-    try {
-      const samlCfg = await db
-        .replicaNode()(TableName.SamlConfig)
-        .where({
-          orgId,
-          isActive: true
-        })
-        .whereNotNull("lastUsed")
-        .first();
-
-      return samlCfg;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find org by id" });
-    }
-  };
-
-  return {
-    ...samlCfgOrm,
-    findEnforceableSamlCfg
-  };
+  return samlCfgOrm;
 };

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-constants.ts

@@ -0,0 +1,15 @@
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
+  name: "Auth0 Client Secret",
+  type: SecretRotation.Auth0ClientSecret,
+  connection: AppConnection.Auth0,
+  template: {
+    secretsMapping: {
+      clientId: "AUTH0_CLIENT_ID",
+      clientSecret: "AUTH0_CLIENT_SECRET"
+    }
+  }
+};

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-fns.ts

@@ -0,0 +1,104 @@
+import {
+  TAuth0ClientSecretRotationGeneratedCredentials,
+  TAuth0ClientSecretRotationWithConnection
+} from "@app/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-types";
+import {
+  TRotationFactory,
+  TRotationFactoryGetSecretsPayload,
+  TRotationFactoryIssueCredentials,
+  TRotationFactoryRevokeCredentials,
+  TRotationFactoryRotateCredentials
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { request } from "@app/lib/config/request";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { getAuth0ConnectionAccessToken } from "@app/services/app-connection/auth0";
+
+import { generatePassword } from "../shared/utils";
+
+export const auth0ClientSecretRotationFactory: TRotationFactory<
+  TAuth0ClientSecretRotationWithConnection,
+  TAuth0ClientSecretRotationGeneratedCredentials
+> = (secretRotation, appConnectionDAL, kmsService) => {
+  const {
+    connection,
+    parameters: { clientId },
+    secretsMapping
+  } = secretRotation;
+
+  const $rotateClientSecret = async () => {
+    const accessToken = await getAuth0ConnectionAccessToken(connection, appConnectionDAL, kmsService);
+    const { audience } = connection.credentials;
+    await blockLocalAndPrivateIpAddresses(audience);
+    const clientSecret = generatePassword();
+
+    await request.request({
+      method: "PATCH",
+      url: `${audience}clients/${clientId}`,
+      headers: { authorization: `Bearer ${accessToken}` },
+      data: {
+        client_secret: clientSecret
+      }
+    });
+
+    return { clientId, clientSecret };
+  };
+
+  const issueCredentials: TRotationFactoryIssueCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
+    callback
+  ) => {
+    const credentials = await $rotateClientSecret();
+
+    return callback(credentials);
+  };
+
+  const revokeCredentials: TRotationFactoryRevokeCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
+    _,
+    callback
+  ) => {
+    const accessToken = await getAuth0ConnectionAccessToken(connection, appConnectionDAL, kmsService);
+    const { audience } = connection.credentials;
+    await blockLocalAndPrivateIpAddresses(audience);
+
+    // we just trigger an auth0 rotation to negate our credentials
+    await request.request({
+      method: "POST",
+      url: `${audience}clients/${clientId}/rotate-secret`,
+      headers: { authorization: `Bearer ${accessToken}` }
+    });
+
+    return callback();
+  };
+
+  const rotateCredentials: TRotationFactoryRotateCredentials<TAuth0ClientSecretRotationGeneratedCredentials> = async (
+    _,
+    callback
+  ) => {
+    const credentials = await $rotateClientSecret();
+
+    return callback(credentials);
+  };
+
+  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TAuth0ClientSecretRotationGeneratedCredentials> = (
+    generatedCredentials
+  ) => {
+    const secrets = [
+      {
+        key: secretsMapping.clientId,
+        value: generatedCredentials.clientId
+      },
+      {
+        key: secretsMapping.clientSecret,
+        value: generatedCredentials.clientSecret
+      }
+    ];
+
+    return secrets;
+  };
+
+  return {
+    issueCredentials,
+    revokeCredentials,
+    rotateCredentials,
+    getSecretsPayload
+  };
+};

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-schemas.ts

@@ -0,0 +1,67 @@
+import { z } from "zod";
+
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import {
+  BaseCreateSecretRotationSchema,
+  BaseSecretRotationSchema,
+  BaseUpdateSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
+import { SecretRotations } from "@app/lib/api-docs";
+import { SecretNameSchema } from "@app/server/lib/schemas";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const Auth0ClientSecretRotationGeneratedCredentialsSchema = z
+  .object({
+    clientId: z.string(),
+    clientSecret: z.string()
+  })
+  .array()
+  .min(1)
+  .max(2);
+
+const Auth0ClientSecretRotationParametersSchema = z.object({
+  clientId: z
+    .string()
+    .trim()
+    .min(1, "Client ID Required")
+    .describe(SecretRotations.PARAMETERS.AUTH0_CLIENT_SECRET.clientId)
+});
+
+const Auth0ClientSecretRotationSecretsMappingSchema = z.object({
+  clientId: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AUTH0_CLIENT_SECRET.clientId),
+  clientSecret: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.AUTH0_CLIENT_SECRET.clientSecret)
+});
+
+export const Auth0ClientSecretRotationTemplateSchema = z.object({
+  secretsMapping: z.object({
+    clientId: z.string(),
+    clientSecret: z.string()
+  })
+});
+
+export const Auth0ClientSecretRotationSchema = BaseSecretRotationSchema(SecretRotation.Auth0ClientSecret).extend({
+  type: z.literal(SecretRotation.Auth0ClientSecret),
+  parameters: Auth0ClientSecretRotationParametersSchema,
+  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema
+});
+
+export const CreateAuth0ClientSecretRotationSchema = BaseCreateSecretRotationSchema(
+  SecretRotation.Auth0ClientSecret
+).extend({
+  parameters: Auth0ClientSecretRotationParametersSchema,
+  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema
+});
+
+export const UpdateAuth0ClientSecretRotationSchema = BaseUpdateSecretRotationSchema(
+  SecretRotation.Auth0ClientSecret
+).extend({
+  parameters: Auth0ClientSecretRotationParametersSchema.optional(),
+  secretsMapping: Auth0ClientSecretRotationSecretsMappingSchema.optional()
+});
+
+export const Auth0ClientSecretRotationListItemSchema = z.object({
+  name: z.literal("Auth0 Client Secret"),
+  connection: z.literal(AppConnection.Auth0),
+  type: z.literal(SecretRotation.Auth0ClientSecret),
+  template: Auth0ClientSecretRotationTemplateSchema
+});

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-types.ts

@@ -0,0 +1,24 @@
+import { z } from "zod";
+
+import { TAuth0Connection } from "@app/services/app-connection/auth0";
+
+import {
+  Auth0ClientSecretRotationGeneratedCredentialsSchema,
+  Auth0ClientSecretRotationListItemSchema,
+  Auth0ClientSecretRotationSchema,
+  CreateAuth0ClientSecretRotationSchema
+} from "./auth0-client-secret-rotation-schemas";
+
+export type TAuth0ClientSecretRotation = z.infer<typeof Auth0ClientSecretRotationSchema>;
+
+export type TAuth0ClientSecretRotationInput = z.infer<typeof CreateAuth0ClientSecretRotationSchema>;
+
+export type TAuth0ClientSecretRotationListItem = z.infer<typeof Auth0ClientSecretRotationListItemSchema>;
+
+export type TAuth0ClientSecretRotationWithConnection = TAuth0ClientSecretRotation & {
+  connection: TAuth0Connection;
+};
+
+export type TAuth0ClientSecretRotationGeneratedCredentials = z.infer<
+  typeof Auth0ClientSecretRotationGeneratedCredentialsSchema
+>;

backend/src/ee/services/secret-rotation-v2/auth0-client-secret/index.ts

@@ -0,0 +1,3 @@
+export * from "./auth0-client-secret-rotation-constants";
+export * from "./auth0-client-secret-rotation-schemas";
+export * from "./auth0-client-secret-rotation-types";

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts

@@ -1,6 +1,7 @@
 export enum SecretRotation {
   PostgresCredentials = "postgres-credentials",
-  MsSqlCredentials = "mssql-credentials"
+  MsSqlCredentials = "mssql-credentials",
+  Auth0ClientSecret = "auth0-client-secret"
 }
 
 export enum SecretRotationStatus {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -3,6 +3,7 @@ import { AxiosError } from "axios";
 import { getConfig } from "@app/lib/config/env";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
+import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -16,7 +17,8 @@ import {
 
 const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2ListItem> = {
   [SecretRotation.PostgresCredentials]: POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION,
-  [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION
+  [SecretRotation.MsSqlCredentials]: MSSQL_CREDENTIALS_ROTATION_LIST_OPTION,
+  [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION
 };
 
 export const listSecretRotationOptions = () => {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts

@@ -3,10 +3,12 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 
 export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
   [SecretRotation.PostgresCredentials]: "PostgreSQL Credentials",
-  [SecretRotation.MsSqlCredentials]: "Microsoft SQL Sever Credentials"
+  [SecretRotation.MsSqlCredentials]: "Microsoft SQL Sever Credentials",
+  [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret"
 };
 
 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
   [SecretRotation.PostgresCredentials]: AppConnection.Postgres,
-  [SecretRotation.MsSqlCredentials]: AppConnection.MsSql
+  [SecretRotation.MsSqlCredentials]: AppConnection.MsSql,
+  [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0
 };

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -13,6 +13,7 @@ import {
   ProjectPermissionSecretRotationActions,
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
+import { auth0ClientSecretRotationFactory } from "@app/ee/services/secret-rotation-v2/auth0-client-secret/auth0-client-secret-rotation-fns";
 import { SecretRotation, SecretRotationStatus } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
   calculateNextRotationAt,
@@ -41,6 +42,7 @@ import {
   TRotationFactory,
   TSecretRotationRotateGeneratedCredentials,
   TSecretRotationV2,
+  TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2Raw,
   TSecretRotationV2WithConnection,
   TUpdateSecretRotationV2DTO
@@ -53,6 +55,7 @@ import { DatabaseErrorCode } from "@app/lib/error-codes";
 import { BadRequestError, DatabaseError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
 import { QueueJobs, TQueueServiceFactory } from "@app/queue";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { decryptAppConnection } from "@app/services/app-connection/app-connection-fns";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -97,15 +100,21 @@ export type TSecretRotationV2ServiceFactoryDep = {
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "removeSecretReminder">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   queueService: Pick<TQueueServiceFactory, "queuePg">;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
 };
 
 export type TSecretRotationV2ServiceFactory = ReturnType<typeof secretRotationV2ServiceFactory>;
 
 const MAX_GENERATED_CREDENTIALS_LENGTH = 2;
 
-const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactory> = {
-  [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory,
-  [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory
+type TRotationFactoryImplementation = TRotationFactory<
+  TSecretRotationV2WithConnection,
+  TSecretRotationV2GeneratedCredentials
+>;
+const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplementation> = {
+  [SecretRotation.PostgresCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
+  [SecretRotation.MsSqlCredentials]: sqlCredentialsRotationFactory as TRotationFactoryImplementation,
+  [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation
 };
 
 export const secretRotationV2ServiceFactory = ({
@@ -125,7 +134,8 @@ export const secretRotationV2ServiceFactory = ({
   secretQueueService,
   snapshotService,
   keyStore,
-  queueService
+  queueService,
+  appConnectionDAL
 }: TSecretRotationV2ServiceFactoryDep) => {
   const $queueSendSecretRotationStatusNotification = async (secretRotation: TSecretRotationV2Raw) => {
     const appCfg = getConfig();
@@ -429,11 +439,15 @@ export const secretRotationV2ServiceFactory = ({
     // validates permission to connect and app is valid for rotation type
     const connection = await appConnectionService.connectAppConnectionById(typeApp, payload.connectionId, actor);
 
-    const rotationFactory = SECRET_ROTATION_FACTORY_MAP[payload.type]({
-      parameters: payload.parameters,
-      secretsMapping,
-      connection
-    } as TSecretRotationV2WithConnection);
+    const rotationFactory = SECRET_ROTATION_FACTORY_MAP[payload.type](
+      {
+        parameters: payload.parameters,
+        secretsMapping,
+        connection
+      } as TSecretRotationV2WithConnection,
+      appConnectionDAL,
+      kmsService
+    );
 
     try {
       const currentTime = new Date();
@@ -441,7 +455,7 @@ export const secretRotationV2ServiceFactory = ({
       // callback structure to support transactional rollback when possible
       const secretRotation = await rotationFactory.issueCredentials(async (newCredentials) => {
         const encryptedGeneratedCredentials = await encryptSecretRotationCredentials({
-          generatedCredentials: [newCredentials],
+          generatedCredentials: [newCredentials] as TSecretRotationV2GeneratedCredentials,
           projectId,
           kmsService
         });
@@ -740,32 +754,37 @@ export const secretRotationV2ServiceFactory = ({
         message: `Secret Rotation with ID "${rotationId}" is not configured for ${SECRET_ROTATION_NAME_MAP[type]}`
       });
 
-    const deleteTransaction = secretRotationV2DAL.transaction(async (tx) => {
-      if (deleteSecrets) {
-        await fnSecretBulkDelete({
-          secretDAL: secretV2BridgeDAL,
-          secretQueueService,
-          inputSecrets: Object.values(secretsMapping as TSecretRotationV2["secretsMapping"]).map((secretKey) => ({
-            secretKey,
-            type: SecretType.Shared
-          })),
-          projectId,
-          folderId,
-          actorId: actor.id, // not actually used since rotated secrets are shared
-          tx
-        });
-      }
+    const deleteTransaction = async () =>
+      secretRotationV2DAL.transaction(async (tx) => {
+        if (deleteSecrets) {
+          await fnSecretBulkDelete({
+            secretDAL: secretV2BridgeDAL,
+            secretQueueService,
+            inputSecrets: Object.values(secretsMapping as TSecretRotationV2["secretsMapping"]).map((secretKey) => ({
+              secretKey,
+              type: SecretType.Shared
+            })),
+            projectId,
+            folderId,
+            actorId: actor.id, // not actually used since rotated secrets are shared
+            tx
+          });
+        }
 
-      return secretRotationV2DAL.deleteById(rotationId, tx);
-    });
+        return secretRotationV2DAL.deleteById(rotationId, tx);
+      });
 
     if (revokeGeneratedCredentials) {
       const appConnection = await decryptAppConnection(connection, kmsService);
 
-      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type]({
-        ...secretRotation,
-        connection: appConnection
-      } as TSecretRotationV2WithConnection);
+      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type](
+        {
+          ...secretRotation,
+          connection: appConnection
+        } as TSecretRotationV2WithConnection,
+        appConnectionDAL,
+        kmsService
+      );
 
       const generatedCredentials = await decryptSecretRotationCredentials({
         encryptedGeneratedCredentials,
@@ -773,9 +792,9 @@ export const secretRotationV2ServiceFactory = ({
         kmsService
       });
 
-      await rotationFactory.revokeCredentials(generatedCredentials, async () => deleteTransaction);
+      await rotationFactory.revokeCredentials(generatedCredentials, deleteTransaction);
     } else {
-      await deleteTransaction;
+      await deleteTransaction();
     }
 
     if (deleteSecrets) {
@@ -840,10 +859,14 @@ export const secretRotationV2ServiceFactory = ({
 
       const inactiveCredentials = generatedCredentials[inactiveIndex];
 
-      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type as SecretRotation]({
-        ...secretRotation,
-        connection: appConnection
-      } as TSecretRotationV2WithConnection);
+      const rotationFactory = SECRET_ROTATION_FACTORY_MAP[type as SecretRotation](
+        {
+          ...secretRotation,
+          connection: appConnection
+        } as TSecretRotationV2WithConnection,
+        appConnectionDAL,
+        kmsService
+      );
 
       const updatedRotation = await rotationFactory.rotateCredentials(inactiveCredentials, async (newCredentials) => {
         const updatedCredentials = [...generatedCredentials];
@@ -851,7 +874,7 @@ export const secretRotationV2ServiceFactory = ({
 
         const encryptedUpdatedCredentials = await encryptSecretRotationCredentials({
           projectId,
-          generatedCredentials: updatedCredentials,
+          generatedCredentials: updatedCredentials as TSecretRotationV2GeneratedCredentials,
           kmsService
         });
 

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -1,8 +1,17 @@
 import { AuditLogInfo } from "@app/ee/services/audit-log/audit-log-types";
 import { TSqlCredentialsRotationGeneratedCredentials } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types";
 import { OrderByDirection } from "@app/lib/types";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
+import {
+  TAuth0ClientSecretRotation,
+  TAuth0ClientSecretRotationGeneratedCredentials,
+  TAuth0ClientSecretRotationInput,
+  TAuth0ClientSecretRotationListItem,
+  TAuth0ClientSecretRotationWithConnection
+} from "./auth0-client-secret";
 import {
   TMsSqlCredentialsRotation,
   TMsSqlCredentialsRotationInput,
@@ -18,17 +27,26 @@ import {
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 import { SecretRotation } from "./secret-rotation-v2-enums";
 
-export type TSecretRotationV2 = TPostgresCredentialsRotation | TMsSqlCredentialsRotation;
+export type TSecretRotationV2 = TPostgresCredentialsRotation | TMsSqlCredentialsRotation | TAuth0ClientSecretRotation;
 
 export type TSecretRotationV2WithConnection =
   | TPostgresCredentialsRotationWithConnection
-  | TMsSqlCredentialsRotationWithConnection;
+  | TMsSqlCredentialsRotationWithConnection
+  | TAuth0ClientSecretRotationWithConnection;
 
-export type TSecretRotationV2GeneratedCredentials = TSqlCredentialsRotationGeneratedCredentials;
+export type TSecretRotationV2GeneratedCredentials =
+  | TSqlCredentialsRotationGeneratedCredentials
+  | TAuth0ClientSecretRotationGeneratedCredentials;
 
-export type TSecretRotationV2Input = TPostgresCredentialsRotationInput | TMsSqlCredentialsRotationInput;
+export type TSecretRotationV2Input =
+  | TPostgresCredentialsRotationInput
+  | TMsSqlCredentialsRotationInput
+  | TAuth0ClientSecretRotationInput;
 
-export type TSecretRotationV2ListItem = TPostgresCredentialsRotationListItem | TMsSqlCredentialsRotationListItem;
+export type TSecretRotationV2ListItem =
+  | TPostgresCredentialsRotationListItem
+  | TMsSqlCredentialsRotationListItem
+  | TAuth0ClientSecretRotationListItem;
 
 export type TSecretRotationV2Raw = NonNullable<Awaited<ReturnType<TSecretRotationV2DALFactory["findById"]>>>;
 
@@ -129,27 +147,34 @@ export type TSecretRotationSendNotificationJobPayload = {
 // transactional behavior. By passing in the rotation mutation, if this mutation fails we can roll back the
 // third party credential changes (when supported), preventing credentials getting out of sync
 
-export type TRotationFactoryIssueCredentials = (
-  callback: (newCredentials: TSecretRotationV2GeneratedCredentials[number]) => Promise<TSecretRotationV2Raw>
+export type TRotationFactoryIssueCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
+  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;
 
-export type TRotationFactoryRevokeCredentials = (
-  generatedCredentials: TSecretRotationV2GeneratedCredentials,
+export type TRotationFactoryRevokeCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
+  generatedCredentials: T,
   callback: () => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;
 
-export type TRotationFactoryRotateCredentials = (
-  credentialsToRevoke: TSecretRotationV2GeneratedCredentials[number] | undefined,
-  callback: (newCredentials: TSecretRotationV2GeneratedCredentials[number]) => Promise<TSecretRotationV2Raw>
+export type TRotationFactoryRotateCredentials<T extends TSecretRotationV2GeneratedCredentials> = (
+  credentialsToRevoke: T[number] | undefined,
+  callback: (newCredentials: T[number]) => Promise<TSecretRotationV2Raw>
 ) => Promise<TSecretRotationV2Raw>;
 
-export type TRotationFactoryGetSecretsPayload = (
-  generatedCredentials: TSecretRotationV2GeneratedCredentials[number]
+export type TRotationFactoryGetSecretsPayload<T extends TSecretRotationV2GeneratedCredentials> = (
+  generatedCredentials: T[number]
 ) => { key: string; value: string }[];
 
-export type TRotationFactory = (secretRotation: TSecretRotationV2WithConnection) => {
-  issueCredentials: TRotationFactoryIssueCredentials;
-  revokeCredentials: TRotationFactoryRevokeCredentials;
-  rotateCredentials: TRotationFactoryRotateCredentials;
-  getSecretsPayload: TRotationFactoryGetSecretsPayload;
+export type TRotationFactory<
+  T extends TSecretRotationV2WithConnection,
+  C extends TSecretRotationV2GeneratedCredentials
+> = (
+  secretRotation: T,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  issueCredentials: TRotationFactoryIssueCredentials<C>;
+  revokeCredentials: TRotationFactoryRevokeCredentials<C>;
+  rotateCredentials: TRotationFactoryRotateCredentials<C>;
+  getSecretsPayload: TRotationFactoryGetSecretsPayload<C>;
 };

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts

@@ -1,9 +1,11 @@
 import { z } from "zod";
 
+import { Auth0ClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/auth0-client-secret";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
 export const SecretRotationV2Schema = z.discriminatedUnion("type", [
   PostgresCredentialsRotationSchema,
-  MsSqlCredentialsRotationSchema
+  MsSqlCredentialsRotationSchema,
+  Auth0ClientSecretRotationSchema
 ]);

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts

@@ -1,6 +1,5 @@
-import { randomInt } from "crypto";
-
 import {
+  TRotationFactory,
   TRotationFactoryGetSecretsPayload,
   TRotationFactoryIssueCredentials,
   TRotationFactoryRevokeCredentials,
@@ -8,94 +7,12 @@ import {
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
 import { getSqlConnectionClient, SQL_CONNECTION_ALTER_LOGIN_STATEMENT } from "@app/services/app-connection/shared/sql";
 
+import { generatePassword } from "../utils";
 import {
   TSqlCredentialsRotationGeneratedCredentials,
   TSqlCredentialsRotationWithConnection
 } from "./sql-credentials-rotation-types";
 
-const DEFAULT_PASSWORD_REQUIREMENTS = {
-  length: 48,
-  required: {
-    lowercase: 1,
-    uppercase: 1,
-    digits: 1,
-    symbols: 0
-  },
-  allowedSymbols: "-_.~!*"
-};
-
-const generatePassword = () => {
-  try {
-    const { length, required, allowedSymbols } = DEFAULT_PASSWORD_REQUIREMENTS;
-
-    const chars = {
-      lowercase: "abcdefghijklmnopqrstuvwxyz",
-      uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
-      digits: "0123456789",
-      symbols: allowedSymbols || "-_.~!*"
-    };
-
-    const parts: string[] = [];
-
-    if (required.lowercase > 0) {
-      parts.push(
-        ...Array(required.lowercase)
-          .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
-      );
-    }
-
-    if (required.uppercase > 0) {
-      parts.push(
-        ...Array(required.uppercase)
-          .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
-      );
-    }
-
-    if (required.digits > 0) {
-      parts.push(
-        ...Array(required.digits)
-          .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
-      );
-    }
-
-    if (required.symbols > 0) {
-      parts.push(
-        ...Array(required.symbols)
-          .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
-      );
-    }
-
-    const requiredTotal = Object.values(required).reduce<number>((a, b) => a + b, 0);
-    const remainingLength = Math.max(length - requiredTotal, 0);
-
-    const allowedChars = Object.entries(chars)
-      .filter(([key]) => required[key as keyof typeof required] > 0)
-      .map(([, value]) => value)
-      .join("");
-
-    parts.push(
-      ...Array(remainingLength)
-        .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
-    );
-
-    // shuffle the array to mix up the characters
-    for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
-      [parts[i], parts[j]] = [parts[j], parts[i]];
-    }
-
-    return parts.join("");
-  } catch (error: unknown) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    throw new Error(`Failed to generate password: ${message}`);
-  }
-};
-
 const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGeneratedCredentials) => {
   const error = e as Error;
 
@@ -110,7 +27,10 @@ const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGenerat
   return redactedMessage;
 };
 
-export const sqlCredentialsRotationFactory = (secretRotation: TSqlCredentialsRotationWithConnection) => {
+export const sqlCredentialsRotationFactory: TRotationFactory<
+  TSqlCredentialsRotationWithConnection,
+  TSqlCredentialsRotationGeneratedCredentials
+> = (secretRotation) => {
   const {
     connection,
     parameters: { username1, username2 },
@@ -118,7 +38,7 @@ export const sqlCredentialsRotationFactory = (secretRotation: TSqlCredentialsRot
     secretsMapping
   } = secretRotation;
 
-  const validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
+  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
     const client = await getSqlConnectionClient({
       ...connection,
       credentials: {
@@ -136,7 +56,9 @@ export const sqlCredentialsRotationFactory = (secretRotation: TSqlCredentialsRot
     }
   };
 
-  const issueCredentials: TRotationFactoryIssueCredentials = async (callback) => {
+  const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
+    callback
+  ) => {
     const client = await getSqlConnectionClient(connection);
 
     // For SQL, since we get existing users, we change both their passwords
@@ -159,13 +81,16 @@ export const sqlCredentialsRotationFactory = (secretRotation: TSqlCredentialsRot
     }
 
     for await (const credentials of credentialsSet) {
-      await validateCredentials(credentials);
+      await $validateCredentials(credentials);
     }
 
     return callback(credentialsSet[0]);
   };
 
-  const revokeCredentials: TRotationFactoryRevokeCredentials = async (credentialsToRevoke, callback) => {
+  const revokeCredentials: TRotationFactoryRevokeCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
+    credentialsToRevoke,
+    callback
+  ) => {
     const client = await getSqlConnectionClient(connection);
 
     const revokedCredentials = credentialsToRevoke.map(({ username }) => ({ username, password: generatePassword() }));
@@ -186,7 +111,10 @@ export const sqlCredentialsRotationFactory = (secretRotation: TSqlCredentialsRot
     return callback();
   };
 
-  const rotateCredentials: TRotationFactoryRotateCredentials = async (_, callback) => {
+  const rotateCredentials: TRotationFactoryRotateCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
+    _,
+    callback
+  ) => {
     const client = await getSqlConnectionClient(connection);
 
     // generate new password for the next active user
@@ -200,12 +128,14 @@ export const sqlCredentialsRotationFactory = (secretRotation: TSqlCredentialsRot
       await client.destroy();
     }
 
-    await validateCredentials(credentials);
+    await $validateCredentials(credentials);
 
     return callback(credentials);
   };
 
-  const getSecretsPayload: TRotationFactoryGetSecretsPayload = (generatedCredentials) => {
+  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TSqlCredentialsRotationGeneratedCredentials> = (
+    generatedCredentials
+  ) => {
     const { username, password } = secretsMapping;
 
     const secrets = [
@@ -226,7 +156,6 @@ export const sqlCredentialsRotationFactory = (secretRotation: TSqlCredentialsRot
     issueCredentials,
     revokeCredentials,
     rotateCredentials,
-    getSecretsPayload,
-    validateCredentials
+    getSecretsPayload
   };
 };

backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts

@@ -0,0 +1,84 @@
+import { randomInt } from "crypto";
+
+const DEFAULT_PASSWORD_REQUIREMENTS = {
+  length: 48,
+  required: {
+    lowercase: 1,
+    uppercase: 1,
+    digits: 1,
+    symbols: 0
+  },
+  allowedSymbols: "-_.~!*"
+};
+
+export const generatePassword = () => {
+  try {
+    const { length, required, allowedSymbols } = DEFAULT_PASSWORD_REQUIREMENTS;
+
+    const chars = {
+      lowercase: "abcdefghijklmnopqrstuvwxyz",
+      uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+      digits: "0123456789",
+      symbols: allowedSymbols || "-_.~!*"
+    };
+
+    const parts: string[] = [];
+
+    if (required.lowercase > 0) {
+      parts.push(
+        ...Array(required.lowercase)
+          .fill(0)
+          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+      );
+    }
+
+    if (required.uppercase > 0) {
+      parts.push(
+        ...Array(required.uppercase)
+          .fill(0)
+          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+      );
+    }
+
+    if (required.digits > 0) {
+      parts.push(
+        ...Array(required.digits)
+          .fill(0)
+          .map(() => chars.digits[randomInt(chars.digits.length)])
+      );
+    }
+
+    if (required.symbols > 0) {
+      parts.push(
+        ...Array(required.symbols)
+          .fill(0)
+          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+      );
+    }
+
+    const requiredTotal = Object.values(required).reduce<number>((a, b) => a + b, 0);
+    const remainingLength = Math.max(length - requiredTotal, 0);
+
+    const allowedChars = Object.entries(chars)
+      .filter(([key]) => required[key as keyof typeof required] > 0)
+      .map(([, value]) => value)
+      .join("");
+
+    parts.push(
+      ...Array(remainingLength)
+        .fill(0)
+        .map(() => allowedChars[randomInt(allowedChars.length)])
+    );
+
+    // shuffle the array to mix up the characters
+    for (let i = parts.length - 1; i > 0; i -= 1) {
+      const j = randomInt(i + 1);
+      [parts[i], parts[j]] = [parts[j], parts[i]];
+    }
+
+    return parts.join("");
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    throw new Error(`Failed to generate password: ${message}`);
+  }
+};

backend/src/lib/api-docs/constants.ts

@@ -478,7 +478,8 @@ export const PROJECTS = {
     name: "The new name of the project.",
     projectDescription: "An optional description label for the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project.",
-    slug: "An optional slug for the project. (must be unique within the organization)"
+    slug: "An optional slug for the project. (must be unique within the organization)",
+    hasDeleteProtection: "Enable or disable delete protection for the project."
   },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
@@ -1782,6 +1783,12 @@ export const AppConnections = {
     connectionId: `The ID of the ${APP_CONNECTION_NAME_MAP[app]} Connection to be deleted.`
   }),
   CREDENTIALS: {
+    AUTH0_CONNECTION: {
+      domain: "The domain of the Auth0 instance to connect to.",
+      clientId: "Your Auth0 application's Client ID.",
+      clientSecret: "Your Auth0 application's Client Secret.",
+      audience: "The unique identifier of the target API you want to access."
+    },
     SQL_CONNECTION: {
       host: "The hostname of the database server.",
       port: "The port number of the database.",
@@ -1801,6 +1808,10 @@ export const AppConnections = {
     CAMUNDA: {
       clientId: "The client ID used to authenticate with Camunda.",
       clientSecret: "The client secret used to authenticate with Camunda."
+    },
+    WINDMILL: {
+      instanceUrl: "The Windmill instance URL to connect with (defaults to https://app.windmill.dev).",
+      accessToken: "The access token to use to connect with Windmill."
     }
   }
 };
@@ -1936,6 +1947,10 @@ export const SecretSyncs = {
       env: "The ID of the Vercel environment to sync secrets to.",
       branch: "The branch to sync preview secrets to.",
       teamId: "The ID of the Vercel team to sync secrets to."
+    },
+    WINDMILL: {
+      workspace: "The Windmill workspace to sync secrets to.",
+      path: "The Windmill workspace path to sync secrets to."
     }
   }
 };
@@ -1997,12 +2012,19 @@ export const SecretRotations = {
         "The username of the first login to rotate passwords for. This user must already exists in your database.",
       username2:
         "The username of the second login to rotate passwords for. This user must already exists in your database."
+    },
+    AUTH0_CLIENT_SECRET: {
+      clientId: "The client ID of the Auth0 Application to rotate the client secret for."
     }
   },
   SECRETS_MAPPING: {
     SQL_CREDENTIALS: {
       username: "The name of the secret that the active username will be mapped to.",
       password: "The name of the secret that the generated password will be mapped to."
+    },
+    AUTH0_CLIENT_SECRET: {
+      clientId: "The name of the secret that the client ID will be mapped to.",
+      clientSecret: "The name of the secret that the rotated client secret will be mapped to."
     }
   }
 };

backend/src/server/routes/index.ts

@@ -1255,7 +1255,8 @@ export const registerRoutes = async (
     userDAL,
     permissionService,
     projectDAL,
-    accessTokenQueue
+    accessTokenQueue,
+    smtpService
   });
 
   const identityService = identityServiceFactory({
@@ -1416,7 +1417,8 @@ export const registerRoutes = async (
     identityAccessTokenDAL,
     secretSharingDAL,
     secretVersionV2DAL: secretVersionV2BridgeDAL,
-    identityUniversalAuthClientSecretDAL: identityUaClientSecretDAL
+    identityUniversalAuthClientSecretDAL: identityUaClientSecretDAL,
+    serviceTokenService
   });
 
   const dailyExpiringPkiItemAlert = dailyExpiringPkiItemAlertQueueServiceFactory({
@@ -1549,7 +1551,8 @@ export const registerRoutes = async (
     resourceMetadataDAL,
     snapshotService,
     secretQueueService,
-    queueService
+    queueService,
+    appConnectionDAL
   });
 
   await secretRotationV2QueueServiceFactory({

backend/src/server/routes/sanitizedSchemas.ts

@@ -260,7 +260,8 @@ export const SanitizedProjectSchema = ProjectsSchema.pick({
   upgradeStatus: true,
   pitVersionLimit: true,
   kmsCertificateKeyId: true,
-  auditLogsRetentionDays: true
+  auditLogsRetentionDays: true,
+  hasDeleteProtection: true
 });
 
 export const SanitizedTagSchema = SecretTagsSchema.pick({

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -3,6 +3,7 @@ import { z } from "zod";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { Auth0ConnectionListItemSchema, SanitizedAuth0ConnectionSchema } from "@app/services/app-connection/auth0";
 import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
 import {
   AzureAppConfigurationConnectionListItemSchema,
@@ -36,6 +37,10 @@ import {
   TerraformCloudConnectionListItemSchema
 } from "@app/services/app-connection/terraform-cloud";
 import { SanitizedVercelConnectionSchema, VercelConnectionListItemSchema } from "@app/services/app-connection/vercel";
+import {
+  SanitizedWindmillConnectionSchema,
+  WindmillConnectionListItemSchema
+} from "@app/services/app-connection/windmill";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 // can't use discriminated due to multiple schemas for certain apps
@@ -51,7 +56,9 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedVercelConnectionSchema.options,
   ...SanitizedPostgresConnectionSchema.options,
   ...SanitizedMsSqlConnectionSchema.options,
-  ...SanitizedCamundaConnectionSchema.options
+  ...SanitizedCamundaConnectionSchema.options,
+  ...SanitizedWindmillConnectionSchema.options,
+  ...SanitizedAuth0ConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -66,7 +73,9 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   VercelConnectionListItemSchema,
   PostgresConnectionListItemSchema,
   MsSqlConnectionListItemSchema,
-  CamundaConnectionListItemSchema
+  CamundaConnectionListItemSchema,
+  WindmillConnectionListItemSchema,
+  Auth0ConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/auth0-connection-router.ts

@@ -0,0 +1,51 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateAuth0ConnectionSchema,
+  SanitizedAuth0ConnectionSchema,
+  UpdateAuth0ConnectionSchema
+} from "@app/services/app-connection/auth0";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerAuth0ConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Auth0,
+    server,
+    sanitizedResponseSchema: SanitizedAuth0ConnectionSchema,
+    createSchema: CreateAuth0ConnectionSchema,
+    updateSchema: UpdateAuth0ConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+
+  server.route({
+    method: "GET",
+    url: `/:connectionId/clients`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({
+          clients: z.object({ name: z.string(), id: z.string() }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const clients = await server.services.appConnection.auth0.listClients(connectionId, req.permission);
+
+      return { clients };
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,3 +1,4 @@
+import { registerAuth0ConnectionRouter } from "@app/server/routes/v1/app-connection-routers/auth0-connection-router";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
 import { registerAwsConnectionRouter } from "./aws-connection-router";
@@ -12,6 +13,7 @@ import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
 import { registerPostgresConnectionRouter } from "./postgres-connection-router";
 import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
 import { registerVercelConnectionRouter } from "./vercel-connection-router";
+import { registerWindmillConnectionRouter } from "./windmill-connection-router";
 
 export * from "./app-connection-router";
 
@@ -28,5 +30,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.Vercel]: registerVercelConnectionRouter,
     [AppConnection.Postgres]: registerPostgresConnectionRouter,
     [AppConnection.MsSql]: registerMsSqlConnectionRouter,
-    [AppConnection.Camunda]: registerCamundaConnectionRouter
+    [AppConnection.Camunda]: registerCamundaConnectionRouter,
+    [AppConnection.Windmill]: registerWindmillConnectionRouter,
+    [AppConnection.Auth0]: registerAuth0ConnectionRouter
   };

backend/src/server/routes/v1/app-connection-routers/windmill-connection-router.ts

@@ -0,0 +1,53 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateWindmillConnectionSchema,
+  SanitizedWindmillConnectionSchema,
+  UpdateWindmillConnectionSchema
+} from "@app/services/app-connection/windmill";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerWindmillConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Windmill,
+    server,
+    sanitizedResponseSchema: SanitizedWindmillConnectionSchema,
+    createSchema: CreateWindmillConnectionSchema,
+    updateSchema: UpdateWindmillConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/workspaces`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const workspaces = await server.services.appConnection.windmill.listWorkspaces(connectionId, req.permission);
+
+      return workspaces;
+    }
+  });
+};

backend/src/server/routes/v1/organization-router.ts

@@ -31,7 +31,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         200: z.object({
           organizations: sanitizedOrganizationSchema
             .extend({
-              orgAuthMethod: z.string()
+              orgAuthMethod: z.string(),
+              userRole: z.string()
             })
             .array()
         })
@@ -259,7 +260,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         defaultMembershipRoleSlug: slugSchema({ max: 64, field: "Default Membership Role" }).optional(),
         enforceMfa: z.boolean().optional(),
         selectedMfaMethod: z.nativeEnum(MfaMethod).optional(),
-        allowSecretSharingOutsideOrganization: z.boolean().optional()
+        allowSecretSharingOutsideOrganization: z.boolean().optional(),
+        bypassOrgAuthEnabled: z.boolean().optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/project-router.ts

@@ -312,6 +312,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           .optional()
           .describe(PROJECTS.UPDATE.projectDescription),
         autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization),
+        hasDeleteProtection: z.boolean().optional().describe(PROJECTS.UPDATE.hasDeleteProtection),
         slug: z
           .string()
           .trim()
@@ -340,6 +341,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           name: req.body.name,
           description: req.body.description,
           autoCapitalization: req.body.autoCapitalization,
+          hasDeleteProtection: req.body.hasDeleteProtection,
           slug: req.body.slug
         },
         actorAuthMethod: req.permission.authMethod,
@@ -390,6 +392,43 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/:workspaceId/delete-protection",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        workspaceId: z.string().trim()
+      }),
+      body: z.object({
+        hasDeleteProtection: z.boolean()
+      }),
+      response: {
+        200: z.object({
+          message: z.string(),
+          workspace: SanitizedProjectSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const workspace = await server.services.project.toggleDeleteProtection({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        projectId: req.params.workspaceId,
+        hasDeleteProtection: req.body.hasDeleteProtection
+      });
+      return {
+        message: "Successfully changed workspace settings",
+        workspace
+      };
+    }
+  });
+
   server.route({
     method: "PUT",
     url: "/:workspaceSlug/version-limit",

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -11,6 +11,7 @@ import { registerGitHubSyncRouter } from "./github-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
 import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
 import { registerVercelSyncRouter } from "./vercel-sync-router";
+import { registerWindmillSyncRouter } from "./windmill-sync-router";
 
 export * from "./secret-sync-router";
 
@@ -25,5 +26,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
   [SecretSync.Humanitec]: registerHumanitecSyncRouter,
   [SecretSync.TerraformCloud]: registerTerraformCloudSyncRouter,
   [SecretSync.Camunda]: registerCamundaSyncRouter,
-  [SecretSync.Vercel]: registerVercelSyncRouter
+  [SecretSync.Vercel]: registerVercelSyncRouter,
+  [SecretSync.Windmill]: registerWindmillSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -25,6 +25,7 @@ import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
 import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
 import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
+import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill";
 
 const SecretSyncSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncSchema,
@@ -37,7 +38,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
   HumanitecSyncSchema,
   TerraformCloudSyncSchema,
   CamundaSyncSchema,
-  VercelSyncSchema
+  VercelSyncSchema,
+  WindmillSyncSchema
 ]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@@ -51,7 +53,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   HumanitecSyncListItemSchema,
   TerraformCloudSyncListItemSchema,
   CamundaSyncListItemSchema,
-  VercelSyncListItemSchema
+  VercelSyncListItemSchema,
+  WindmillSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/secret-sync-routers/windmill-sync-router.ts

@@ -0,0 +1,17 @@
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  CreateWindmillSyncSchema,
+  UpdateWindmillSyncSchema,
+  WindmillSyncSchema
+} from "@app/services/secret-sync/windmill";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerWindmillSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Windmill,
+    server,
+    responseSchema: WindmillSyncSchema,
+    createSchema: CreateWindmillSyncSchema,
+    updateSchema: UpdateWindmillSyncSchema
+  });

backend/src/server/routes/v2/project-router.ts

@@ -303,7 +303,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         name: z.string().trim().optional().describe(PROJECTS.UPDATE.name),
         description: z.string().trim().optional().describe(PROJECTS.UPDATE.projectDescription),
-        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
+        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization),
+        hasDeleteProtection: z.boolean().optional().describe(PROJECTS.UPDATE.hasDeleteProtection)
       }),
       response: {
         200: SanitizedProjectSchema
@@ -321,7 +322,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         update: {
           name: req.body.name,
           description: req.body.description,
-          autoCapitalization: req.body.autoCapitalization
+          autoCapitalization: req.body.autoCapitalization,
+          hasDeleteProtection: req.body.hasDeleteProtection
         },
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,

backend/src/services/app-connection/app-connection-enums.ts

@@ -10,7 +10,9 @@ export enum AppConnection {
   Vercel = "vercel",
   Postgres = "postgres",
   MsSql = "mssql",
-  Camunda = "camunda"
+  Camunda = "camunda",
+  Windmill = "windmill",
+  Auth0 = "auth0"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -16,6 +16,7 @@ import {
   TAppConnectionCredentialsValidator,
   TAppConnectionTransitionCredentialsToPlatform
 } from "./app-connection-types";
+import { Auth0ConnectionMethod, getAuth0ConnectionListItem, validateAuth0ConnectionCredentials } from "./auth0";
 import { AwsConnectionMethod, getAwsConnectionListItem, validateAwsConnectionCredentials } from "./aws";
 import {
   AzureAppConfigurationConnectionMethod,
@@ -49,6 +50,11 @@ import {
 } from "./terraform-cloud";
 import { VercelConnectionMethod } from "./vercel";
 import { getVercelConnectionListItem, validateVercelConnectionCredentials } from "./vercel/vercel-connection-fns";
+import {
+  getWindmillConnectionListItem,
+  validateWindmillConnectionCredentials,
+  WindmillConnectionMethod
+} from "./windmill";
 
 export const listAppConnectionOptions = () => {
   return [
@@ -63,7 +69,9 @@ export const listAppConnectionOptions = () => {
     getVercelConnectionListItem(),
     getPostgresConnectionListItem(),
     getMsSqlConnectionListItem(),
-    getCamundaConnectionListItem()
+    getCamundaConnectionListItem(),
+    getWindmillConnectionListItem(),
+    getAuth0ConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -109,25 +117,29 @@ export const decryptAppConnectionCredentials = async ({
   return JSON.parse(decryptedPlainTextBlob.toString()) as TAppConnection["credentials"];
 };
 
-const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TAppConnectionCredentialsValidator> = {
-  [AppConnection.AWS]: validateAwsConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.Databricks]: validateDatabricksConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.GitHub]: validateGitHubConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.GCP]: validateGcpConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.AzureKeyVault]: validateAzureKeyVaultConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.AzureAppConfiguration]:
-    validateAzureAppConfigurationConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.Humanitec]: validateHumanitecConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.Postgres]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.MsSql]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.TerraformCloud]: validateTerraformCloudConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.Camunda]: validateCamundaConnectionCredentials as TAppConnectionCredentialsValidator,
-  [AppConnection.Vercel]: validateVercelConnectionCredentials as TAppConnectionCredentialsValidator
-};
-
 export const validateAppConnectionCredentials = async (
   appConnection: TAppConnectionConfig
-): Promise<TAppConnection["credentials"]> => VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
+): Promise<TAppConnection["credentials"]> => {
+  const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TAppConnectionCredentialsValidator> = {
+    [AppConnection.AWS]: validateAwsConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Databricks]: validateDatabricksConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.GitHub]: validateGitHubConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.GCP]: validateGcpConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.AzureKeyVault]: validateAzureKeyVaultConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.AzureAppConfiguration]:
+      validateAzureAppConfigurationConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Humanitec]: validateHumanitecConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Postgres]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.MsSql]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Camunda]: validateCamundaConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Vercel]: validateVercelConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.TerraformCloud]: validateTerraformCloudConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Auth0]: validateAuth0ConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Windmill]: validateWindmillConnectionCredentials as TAppConnectionCredentialsValidator
+  };
+
+  return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
+};
 
 export const getAppConnectionMethodName = (method: TAppConnection["method"]) => {
   switch (method) {
@@ -154,6 +166,10 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
       return "Username & Password";
+    case WindmillConnectionMethod.AccessToken:
+      return "Access Token";
+    case Auth0ConnectionMethod.ClientCredentials:
+      return "Client Credentials";
     default:
       // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
       throw new Error(`Unhandled App Connection Method: ${method}`);
@@ -196,5 +212,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.MsSql]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
   [AppConnection.TerraformCloud]: platformManagedCredentialsNotSupported,
   [AppConnection.Camunda]: platformManagedCredentialsNotSupported,
-  [AppConnection.Vercel]: platformManagedCredentialsNotSupported
+  [AppConnection.Vercel]: platformManagedCredentialsNotSupported,
+  [AppConnection.Windmill]: platformManagedCredentialsNotSupported,
+  [AppConnection.Auth0]: platformManagedCredentialsNotSupported
 };

backend/src/services/app-connection/app-connection-maps.ts

@@ -12,5 +12,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.Vercel]: "Vercel",
   [AppConnection.Postgres]: "PostgreSQL",
   [AppConnection.MsSql]: "Microsoft SQL Server",
-  [AppConnection.Camunda]: "Camunda"
+  [AppConnection.Camunda]: "Camunda",
+  [AppConnection.Windmill]: "Windmill",
+  [AppConnection.Auth0]: "Auth0"
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -14,6 +14,7 @@ import {
   TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM,
   validateAppConnectionCredentials
 } from "@app/services/app-connection/app-connection-fns";
+import { auth0ConnectionService } from "@app/services/app-connection/auth0/auth0-connection-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 
 import { TAppConnectionDALFactory } from "./app-connection-dal";
@@ -27,6 +28,7 @@ import {
   TUpdateAppConnectionDTO,
   TValidateAppConnectionCredentialsSchema
 } from "./app-connection-types";
+import { ValidateAuth0ConnectionCredentialsSchema } from "./auth0";
 import { ValidateAwsConnectionCredentialsSchema } from "./aws";
 import { awsConnectionService } from "./aws/aws-connection-service";
 import { ValidateAzureAppConfigurationConnectionCredentialsSchema } from "./azure-app-configuration";
@@ -47,6 +49,8 @@ import { ValidateTerraformCloudConnectionCredentialsSchema } from "./terraform-c
 import { terraformCloudConnectionService } from "./terraform-cloud/terraform-cloud-connection-service";
 import { ValidateVercelConnectionCredentialsSchema } from "./vercel";
 import { vercelConnectionService } from "./vercel/vercel-connection-service";
+import { ValidateWindmillConnectionCredentialsSchema } from "./windmill";
+import { windmillConnectionService } from "./windmill/windmill-connection-service";
 
 export type TAppConnectionServiceFactoryDep = {
   appConnectionDAL: TAppConnectionDALFactory;
@@ -68,7 +72,9 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.Vercel]: ValidateVercelConnectionCredentialsSchema,
   [AppConnection.Postgres]: ValidatePostgresConnectionCredentialsSchema,
   [AppConnection.MsSql]: ValidateMsSqlConnectionCredentialsSchema,
-  [AppConnection.Camunda]: ValidateCamundaConnectionCredentialsSchema
+  [AppConnection.Camunda]: ValidateCamundaConnectionCredentialsSchema,
+  [AppConnection.Windmill]: ValidateWindmillConnectionCredentialsSchema,
+  [AppConnection.Auth0]: ValidateAuth0ConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -442,6 +448,8 @@ export const appConnectionServiceFactory = ({
     humanitec: humanitecConnectionService(connectAppConnectionById),
     terraformCloud: terraformCloudConnectionService(connectAppConnectionById),
     camunda: camundaConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
-    vercel: vercelConnectionService(connectAppConnectionById)
+    vercel: vercelConnectionService(connectAppConnectionById),
+    windmill: windmillConnectionService(connectAppConnectionById),
+    auth0: auth0ConnectionService(connectAppConnectionById, appConnectionDAL, kmsService)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -3,6 +3,12 @@ import { TSqlConnectionConfig } from "@app/services/app-connection/shared/sql/sq
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
 import { AWSRegion } from "./app-connection-enums";
+import {
+  TAuth0Connection,
+  TAuth0ConnectionConfig,
+  TAuth0ConnectionInput,
+  TValidateAuth0ConnectionCredentialsSchema
+} from "./auth0";
 import {
   TAwsConnection,
   TAwsConnectionConfig,
@@ -69,6 +75,12 @@ import {
   TVercelConnectionConfig,
   TVercelConnectionInput
 } from "./vercel";
+import {
+  TValidateWindmillConnectionCredentialsSchema,
+  TWindmillConnection,
+  TWindmillConnectionConfig,
+  TWindmillConnectionInput
+} from "./windmill";
 
 export type TAppConnection = { id: string } & (
   | TAwsConnection
@@ -83,6 +95,8 @@ export type TAppConnection = { id: string } & (
   | TPostgresConnection
   | TMsSqlConnection
   | TCamundaConnection
+  | TWindmillConnection
+  | TAuth0Connection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -102,6 +116,8 @@ export type TAppConnectionInput = { id: string } & (
   | TPostgresConnectionInput
   | TMsSqlConnectionInput
   | TCamundaConnectionInput
+  | TWindmillConnectionInput
+  | TAuth0ConnectionInput
 );
 
 export type TSqlConnectionInput = TPostgresConnectionInput | TMsSqlConnectionInput;
@@ -126,7 +142,9 @@ export type TAppConnectionConfig =
   | TTerraformCloudConnectionConfig
   | TVercelConnectionConfig
   | TSqlConnectionConfig
-  | TCamundaConnectionConfig;
+  | TCamundaConnectionConfig
+  | TWindmillConnectionConfig
+  | TAuth0ConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -140,7 +158,9 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateMsSqlConnectionCredentialsSchema
   | TValidateCamundaConnectionCredentialsSchema
   | TValidateTerraformCloudConnectionCredentialsSchema
-  | TValidateVercelConnectionCredentialsSchema;
+  | TValidateVercelConnectionCredentialsSchema
+  | TValidateWindmillConnectionCredentialsSchema
+  | TValidateAuth0ConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;

backend/src/services/app-connection/auth0/auth0-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum Auth0ConnectionMethod {
+  ClientCredentials = "client-credentials"
+}

backend/src/services/app-connection/auth0/auth0-connection-fns.ts

@@ -0,0 +1,97 @@
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { Auth0ConnectionMethod } from "./auth0-connection-enums";
+import { TAuth0AccessTokenResponse, TAuth0Connection, TAuth0ConnectionConfig } from "./auth0-connection-types";
+
+export const getAuth0ConnectionListItem = () => {
+  return {
+    name: "Auth0" as const,
+    app: AppConnection.Auth0 as const,
+    methods: Object.values(Auth0ConnectionMethod) as [Auth0ConnectionMethod.ClientCredentials]
+  };
+};
+
+const authorizeAuth0Connection = async ({
+  clientId,
+  clientSecret,
+  domain,
+  audience
+}: TAuth0ConnectionConfig["credentials"]) => {
+  const instanceUrl = domain.startsWith("http") ? domain : `https://${domain}`;
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+  const { data } = await request.request<TAuth0AccessTokenResponse>({
+    method: "POST",
+    url: `${removeTrailingSlash(instanceUrl)}/oauth/token`,
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    data: new URLSearchParams({
+      grant_type: "client_credentials", // this will need to be resolved if we support methods other than client credentials
+      client_id: clientId,
+      client_secret: clientSecret,
+      audience
+    })
+  });
+
+  if (data.token_type !== "Bearer") {
+    throw new Error(`Unhandled token type: ${data.token_type}`);
+  }
+
+  return {
+    accessToken: data.access_token,
+    // cap token lifespan to 10 minutes
+    expiresAt: Math.min(data.expires_in * 1000, 600000) + Date.now()
+  };
+};
+
+export const getAuth0ConnectionAccessToken = async (
+  { id, orgId, credentials }: TAuth0Connection,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const { expiresAt, accessToken } = credentials;
+
+  // get new token if expired or less than 5 minutes until expiry
+  if (Date.now() < expiresAt - 300000) {
+    return accessToken;
+  }
+
+  const authData = await authorizeAuth0Connection(credentials);
+
+  const updatedCredentials: TAuth0Connection["credentials"] = {
+    ...credentials,
+    ...authData
+  };
+
+  const encryptedCredentials = await encryptAppConnectionCredentials({
+    credentials: updatedCredentials,
+    orgId,
+    kmsService
+  });
+
+  await appConnectionDAL.updateById(id, { encryptedCredentials });
+
+  return authData.accessToken;
+};
+
+export const validateAuth0ConnectionCredentials = async ({ credentials }: TAuth0ConnectionConfig) => {
+  try {
+    const { accessToken, expiresAt } = await authorizeAuth0Connection(credentials);
+
+    return {
+      ...credentials,
+      accessToken,
+      expiresAt
+    };
+  } catch (e: unknown) {
+    throw new BadRequestError({
+      message: (e as Error).message ?? `Unable to validate connection: verify credentials`
+    });
+  }
+};

backend/src/services/app-connection/auth0/auth0-connection-schemas.ts

@@ -0,0 +1,94 @@
+import { z } from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { Auth0ConnectionMethod } from "./auth0-connection-enums";
+
+export const Auth0ConnectionClientCredentialsInputCredentialsSchema = z.object({
+  domain: z.string().trim().min(1, "Domain required").describe(AppConnections.CREDENTIALS.AUTH0_CONNECTION.domain),
+  clientId: z
+    .string()
+    .trim()
+    .min(1, "Client ID required")
+    .describe(AppConnections.CREDENTIALS.AUTH0_CONNECTION.clientId),
+  clientSecret: z
+    .string()
+    .trim()
+    .min(1, "Client Secret required")
+    .describe(AppConnections.CREDENTIALS.AUTH0_CONNECTION.clientSecret),
+  audience: z
+    .string()
+    .trim()
+    .url()
+    .min(1, "Audience required")
+    .describe(AppConnections.CREDENTIALS.AUTH0_CONNECTION.audience)
+});
+
+const Auth0ConnectionClientCredentialsOutputCredentialsSchema = z
+  .object({
+    accessToken: z.string(),
+    expiresAt: z.number()
+  })
+  .merge(Auth0ConnectionClientCredentialsInputCredentialsSchema);
+
+const BaseAuth0ConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.Auth0)
+});
+
+export const Auth0ConnectionSchema = z.intersection(
+  BaseAuth0ConnectionSchema,
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(Auth0ConnectionMethod.ClientCredentials),
+      credentials: Auth0ConnectionClientCredentialsOutputCredentialsSchema
+    })
+  ])
+);
+
+export const SanitizedAuth0ConnectionSchema = z.discriminatedUnion("method", [
+  BaseAuth0ConnectionSchema.extend({
+    method: z.literal(Auth0ConnectionMethod.ClientCredentials),
+    credentials: Auth0ConnectionClientCredentialsInputCredentialsSchema.pick({
+      domain: true,
+      clientId: true,
+      audience: true
+    })
+  })
+]);
+
+export const ValidateAuth0ConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(Auth0ConnectionMethod.ClientCredentials)
+      .describe(AppConnections.CREATE(AppConnection.Auth0).method),
+    credentials: Auth0ConnectionClientCredentialsInputCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Auth0).credentials
+    )
+  })
+]);
+
+export const CreateAuth0ConnectionSchema = ValidateAuth0ConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Auth0)
+);
+
+export const UpdateAuth0ConnectionSchema = z
+  .object({
+    credentials: Auth0ConnectionClientCredentialsInputCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Auth0).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Auth0));
+
+export const Auth0ConnectionListItemSchema = z.object({
+  name: z.literal("Auth0"),
+  app: z.literal(AppConnection.Auth0),
+  // the below is preferable but currently breaks with our zod to json schema parser
+  // methods: z.tuple([z.literal(AwsConnectionMethod.ServicePrincipal), z.literal(AwsConnectionMethod.AccessKey)]),
+  methods: z.nativeEnum(Auth0ConnectionMethod).array()
+});

backend/src/services/app-connection/auth0/auth0-connection-service.ts

@@ -0,0 +1,71 @@
+import { request } from "@app/lib/config/request";
+import { OrgServiceActor } from "@app/lib/types";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { getAuth0ConnectionAccessToken } from "@app/services/app-connection/auth0/auth0-connection-fns";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAuth0Connection, TAuth0ListClient, TAuth0ListClientsResponse } from "./auth0-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TAuth0Connection>;
+
+const listAuth0Clients = async (
+  appConnection: TAuth0Connection,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const accessToken = await getAuth0ConnectionAccessToken(appConnection, appConnectionDAL, kmsService);
+
+  const { audience, clientId: connectionClientId } = appConnection.credentials;
+  await blockLocalAndPrivateIpAddresses(audience);
+
+  const clients: TAuth0ListClient[] = [];
+  let hasMore = true;
+  let page = 0;
+
+  while (hasMore) {
+    // eslint-disable-next-line no-await-in-loop
+    const { data: clientsPage } = await request.get<TAuth0ListClientsResponse>(`${audience}clients`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
+      },
+      params: {
+        include_totals: true,
+        per_page: 100,
+        page
+      }
+    });
+
+    clients.push(...clientsPage.clients);
+    page += 1;
+    hasMore = clientsPage.total > clients.length;
+  }
+
+  return (
+    clients.filter((client) => client.client_id !== connectionClientId && client.name !== "All Applications") ?? []
+  );
+};
+
+export const auth0ConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const listClients = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Auth0, connectionId, actor);
+
+    const clients = await listAuth0Clients(appConnection, appConnectionDAL, kmsService);
+
+    return clients.map((client) => ({ id: client.client_id, name: client.name }));
+  };
+
+  return {
+    listClients
+  };
+};

backend/src/services/app-connection/auth0/auth0-connection-types.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import {
+  Auth0ConnectionSchema,
+  CreateAuth0ConnectionSchema,
+  ValidateAuth0ConnectionCredentialsSchema
+} from "./auth0-connection-schemas";
+
+export type TAuth0Connection = z.infer<typeof Auth0ConnectionSchema>;
+
+export type TAuth0ConnectionInput = z.infer<typeof CreateAuth0ConnectionSchema> & {
+  app: AppConnection.Auth0;
+};
+
+export type TValidateAuth0ConnectionCredentialsSchema = typeof ValidateAuth0ConnectionCredentialsSchema;
+
+export type TAuth0ConnectionConfig = DiscriminativePick<TAuth0Connection, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TAuth0AccessTokenResponse = {
+  access_token: string;
+  expires_in: number;
+  scope: string;
+  token_type: string;
+};
+
+export type TAuth0ListClient = {
+  name: string;
+  client_id: string;
+};
+
+export type TAuth0ListClientsResponse = {
+  total: number;
+  clients: TAuth0ListClient[];
+};

backend/src/services/app-connection/auth0/index.ts

@@ -0,0 +1,4 @@
+export * from "./auth0-connection-enums";
+export * from "./auth0-connection-fns";
+export * from "./auth0-connection-schemas";
+export * from "./auth0-connection-types";

backend/src/services/app-connection/databricks/databricks-connection-fns.ts

@@ -1,6 +1,7 @@
 import { request } from "@app/lib/config/request";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
@@ -26,6 +27,8 @@ const authorizeDatabricksConnection = async ({
   clientSecret,
   workspaceUrl
 }: Pick<TDatabricksConnection["credentials"], "workspaceUrl" | "clientId" | "clientSecret">) => {
+  await blockLocalAndPrivateIpAddresses(workspaceUrl);
+
   const { data } = await request.post<TAuthorizeDatabricksConnection>(
     `${removeTrailingSlash(workspaceUrl)}/oidc/v1/token`,
     "grant_type=client_credentials&scope=all-apis",

backend/src/services/app-connection/databricks/databricks-connection-schemas.ts

@@ -16,7 +16,7 @@ export const DatabricksConnectionServicePrincipalInputCredentialsSchema = z.obje
   workspaceUrl: z.string().trim().url().min(1, "Workspace URL required")
 });
 
-export const DatabricksConnectionServicePrincipalOutputCredentialsSchema = z
+const DatabricksConnectionServicePrincipalOutputCredentialsSchema = z
   .object({
     accessToken: z.string(),
     expiresAt: z.number()

backend/src/services/app-connection/terraform-cloud/terraform-cloud-connection-fns.ts

@@ -44,7 +44,7 @@ export const validateTerraformCloudConnectionCredentials = async (config: TTerra
       });
     }
     throw new BadRequestError({
-      message: "Unable to validate connection - verify credentials"
+      message: "Unable to validate connection: verify credentials"
     });
   }
 

backend/src/services/app-connection/vercel/vercel-connection-fns.ts

@@ -1,5 +1,5 @@
 /* eslint-disable no-await-in-loop */
-import { AxiosError, AxiosResponse } from "axios";
+import { AxiosError } from "axios";
 
 import { request } from "@app/lib/config/request";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
@@ -27,10 +27,8 @@ export const getVercelConnectionListItem = () => {
 export const validateVercelConnectionCredentials = async (config: TVercelConnectionConfig) => {
   const { credentials: inputCredentials } = config;
 
-  let response: AxiosResponse<VercelApp[]> | null = null;
-
   try {
-    response = await request.get<VercelApp[]>(`${IntegrationUrls.VERCEL_API_URL}/v9/projects`, {
+    await request.get(`${IntegrationUrls.VERCEL_API_URL}/v2/user`, {
       headers: {
         Authorization: `Bearer ${inputCredentials.apiToken}`
       }
@@ -38,17 +36,14 @@ export const validateVercelConnectionCredentials = async (config: TVercelConnect
   } catch (error: unknown) {
     if (error instanceof AxiosError) {
       throw new BadRequestError({
-        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+        message: `Failed to validate credentials: ${
+          error.response?.data ? JSON.stringify(error.response?.data) : error.message || "Unknown error"
+        }`
       });
     }
     throw new BadRequestError({
-      message: "Unable to validate connection - verify credentials"
-    });
-  }
-
-  if (!response?.data) {
-    throw new InternalServerError({
-      message: "Failed to get organizations: Response was empty"
+      message: `Unable to validate connection: ${(error as Error).message || "Verify credentials"}`
     });
   }
 

backend/src/services/app-connection/windmill/index.ts

@@ -0,0 +1,4 @@
+export * from "./windmill-connection-enums";
+export * from "./windmill-connection-fns";
+export * from "./windmill-connection-schemas";
+export * from "./windmill-connection-types";

backend/src/services/app-connection/windmill/windmill-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum WindmillConnectionMethod {
+  AccessToken = "access-token"
+}

backend/src/services/app-connection/windmill/windmill-connection-fns.ts

@@ -0,0 +1,65 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { WindmillConnectionMethod } from "./windmill-connection-enums";
+import { TWindmillConnection, TWindmillConnectionConfig, TWindmillWorkspace } from "./windmill-connection-types";
+
+export const getWindmillInstanceUrl = async (config: TWindmillConnectionConfig) => {
+  const instanceUrl = config.credentials.instanceUrl
+    ? removeTrailingSlash(config.credentials.instanceUrl)
+    : "https://app.windmill.dev";
+
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+  return instanceUrl;
+};
+
+export const getWindmillConnectionListItem = () => {
+  return {
+    name: "Windmill" as const,
+    app: AppConnection.Windmill as const,
+    methods: Object.values(WindmillConnectionMethod) as [WindmillConnectionMethod.AccessToken]
+  };
+};
+
+export const validateWindmillConnectionCredentials = async (config: TWindmillConnectionConfig) => {
+  const instanceUrl = await getWindmillInstanceUrl(config);
+  const { accessToken } = config.credentials;
+
+  try {
+    await request.get(`${instanceUrl}/api/workspaces/list`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  return config.credentials;
+};
+
+export const listWindmillWorkspaces = async (appConnection: TWindmillConnection) => {
+  const instanceUrl = await getWindmillInstanceUrl(appConnection);
+  const { accessToken } = appConnection.credentials;
+
+  const resp = await request.get<TWindmillWorkspace[]>(`${instanceUrl}/api/workspaces/list`, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+
+  return resp.data.filter((workspace) => !workspace.deleted);
+};

backend/src/services/app-connection/windmill/windmill-connection-schemas.ts

@@ -0,0 +1,70 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { WindmillConnectionMethod } from "./windmill-connection-enums";
+
+export const WindmillConnectionAccessTokenCredentialsSchema = z.object({
+  accessToken: z
+    .string()
+    .trim()
+    .min(1, "Access Token required")
+    .describe(AppConnections.CREDENTIALS.WINDMILL.accessToken),
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Instance URL")
+    .optional()
+    .describe(AppConnections.CREDENTIALS.WINDMILL.instanceUrl)
+});
+
+const BaseWindmillConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Windmill) });
+
+export const WindmillConnectionSchema = BaseWindmillConnectionSchema.extend({
+  method: z.literal(WindmillConnectionMethod.AccessToken),
+  credentials: WindmillConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedWindmillConnectionSchema = z.discriminatedUnion("method", [
+  BaseWindmillConnectionSchema.extend({
+    method: z.literal(WindmillConnectionMethod.AccessToken),
+    credentials: WindmillConnectionAccessTokenCredentialsSchema.pick({
+      instanceUrl: true
+    })
+  })
+]);
+
+export const ValidateWindmillConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(WindmillConnectionMethod.AccessToken)
+      .describe(AppConnections.CREATE(AppConnection.Windmill).method),
+    credentials: WindmillConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Windmill).credentials
+    )
+  })
+]);
+
+export const CreateWindmillConnectionSchema = ValidateWindmillConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Windmill)
+);
+
+export const UpdateWindmillConnectionSchema = z
+  .object({
+    credentials: WindmillConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.Windmill).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Windmill));
+
+export const WindmillConnectionListItemSchema = z.object({
+  name: z.literal("Windmill"),
+  app: z.literal(AppConnection.Windmill),
+  methods: z.nativeEnum(WindmillConnectionMethod).array()
+});

backend/src/services/app-connection/windmill/windmill-connection-service.ts

@@ -0,0 +1,28 @@
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listWindmillWorkspaces } from "./windmill-connection-fns";
+import { TWindmillConnection } from "./windmill-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TWindmillConnection>;
+
+export const windmillConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listWorkspaces = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Windmill, connectionId, actor);
+
+    try {
+      const workspaces = await listWindmillWorkspaces(appConnection);
+      return workspaces;
+    } catch (error) {
+      return [];
+    }
+  };
+
+  return {
+    listWorkspaces
+  };
+};

backend/src/services/app-connection/windmill/windmill-connection-types.ts

@@ -0,0 +1,27 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateWindmillConnectionSchema,
+  ValidateWindmillConnectionCredentialsSchema,
+  WindmillConnectionSchema
+} from "./windmill-connection-schemas";
+
+export type TWindmillConnection = z.infer<typeof WindmillConnectionSchema>;
+
+export type TWindmillConnectionInput = z.infer<typeof CreateWindmillConnectionSchema> & {
+  app: AppConnection.Windmill;
+};
+
+export type TValidateWindmillConnectionCredentialsSchema = typeof ValidateWindmillConnectionCredentialsSchema;
+
+export type TWindmillConnectionConfig = DiscriminativePick<
+  TWindmillConnectionInput,
+  "method" | "app" | "credentials"
+> & {
+  orgId: string;
+};
+
+export type TWindmillWorkspace = { id: string; name: string; deleted: boolean };

backend/src/services/auth/auth-login-service.ts

@@ -2,7 +2,7 @@ import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";
 import { Knex } from "knex";
 
-import { TUsers, UserDeviceSchema } from "@app/db/schemas";
+import { OrgMembershipRole, TUsers, UserDeviceSchema } from "@app/db/schemas";
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
@@ -174,20 +174,25 @@ export const authLoginServiceFactory = ({
     const userEnc = await userDAL.findUserEncKeyByUsername({
       username: email
     });
+
     const serverCfg = await getServerCfg();
 
+    if (!userEnc || (userEnc && !userEnc.isAccepted)) {
+      throw new Error("Failed to find user");
+    }
+
     if (
       serverCfg.enabledLoginMethods &&
       !serverCfg.enabledLoginMethods.includes(LoginMethod.EMAIL) &&
       !providerAuthToken
     ) {
-      throw new BadRequestError({
-        message: "Login with email is disabled by administrator."
-      });
-    }
-
-    if (!userEnc || (userEnc && !userEnc.isAccepted)) {
-      throw new Error("Failed to find user");
+      // bypass server configuration when user is an organization admin - this is to prevent lockout
+      const userOrgs = await orgDAL.findAllOrgsByUserId(userEnc.userId);
+      if (!userOrgs.some((org) => org.userRole === OrgMembershipRole.Admin)) {
+        throw new BadRequestError({
+          message: "Login with email is disabled by administrator."
+        });
+      }
     }
 
     if (!userEnc.authMethods?.includes(AuthMethod.EMAIL)) {
@@ -573,28 +578,40 @@ export const authLoginServiceFactory = ({
       switch (authMethod) {
         case AuthMethod.GITHUB: {
           if (!serverCfg.enabledLoginMethods.includes(LoginMethod.GITHUB)) {
-            throw new BadRequestError({
-              message: "Login with Github is disabled by administrator.",
-              name: "Oauth 2 login"
-            });
+            // bypass server configuration when user is an organization admin - this is to prevent lockout
+            const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
+            if (!userOrgs.some((org) => org.userRole === OrgMembershipRole.Admin)) {
+              throw new BadRequestError({
+                message: "Login with Github is disabled by administrator.",
+                name: "Oauth 2 login"
+              });
+            }
           }
           break;
         }
         case AuthMethod.GOOGLE: {
           if (!serverCfg.enabledLoginMethods.includes(LoginMethod.GOOGLE)) {
-            throw new BadRequestError({
-              message: "Login with Google is disabled by administrator.",
-              name: "Oauth 2 login"
-            });
+            // bypass server configuration when user is an organization admin - this is to prevent lockout
+            const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
+            if (!userOrgs.some((org) => org.userRole === OrgMembershipRole.Admin)) {
+              throw new BadRequestError({
+                message: "Login with Google is disabled by administrator.",
+                name: "Oauth 2 login"
+              });
+            }
           }
           break;
         }
         case AuthMethod.GITLAB: {
           if (!serverCfg.enabledLoginMethods.includes(LoginMethod.GITLAB)) {
-            throw new BadRequestError({
-              message: "Login with Gitlab is disabled by administrator.",
-              name: "Oauth 2 login"
-            });
+            // bypass server configuration when user is an organization admin - this is to prevent lockout
+            const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
+            if (!userOrgs.some((org) => org.userRole === OrgMembershipRole.Admin)) {
+              throw new BadRequestError({
+                message: "Login with Gitlab is disabled by administrator.",
+                name: "Oauth 2 login"
+              });
+            }
           }
           break;
         }

backend/src/services/org/org-dal.ts

@@ -96,7 +96,9 @@ export const orgDALFactory = (db: TDbClient) => {
   };
 
   // special query
-  const findAllOrgsByUserId = async (userId: string): Promise<(TOrganizations & { orgAuthMethod: string })[]> => {
+  const findAllOrgsByUserId = async (
+    userId: string
+  ): Promise<(TOrganizations & { orgAuthMethod: string; userRole: string })[]> => {
     try {
       const org = (await db
         .replicaNode()(TableName.OrgMembership)
@@ -117,6 +119,7 @@ export const orgDALFactory = (db: TDbClient) => {
           );
         })
         .select(selectAllTableCols(TableName.Organization))
+        .select(db.ref("role").withSchema(TableName.OrgMembership).as("userRole"))
         .select(
           db.raw(`
             CASE
@@ -125,7 +128,7 @@ export const orgDALFactory = (db: TDbClient) => {
               ELSE ''
             END as "orgAuthMethod"
         `)
-        )) as (TOrganizations & { orgAuthMethod: string })[];
+        )) as (TOrganizations & { orgAuthMethod: string; userRole: string })[];
 
       return org;
     } catch (error) {

backend/src/services/org/org-schema.ts

@@ -16,5 +16,6 @@ export const sanitizedOrganizationSchema = OrganizationsSchema.pick({
   allowSecretSharingOutsideOrganization: true,
   shouldUseNewPrivilegeSystem: true,
   privilegeUpgradeInitiatedByUsername: true,
-  privilegeUpgradeInitiatedAt: true
+  privilegeUpgradeInitiatedAt: true,
+  bypassOrgAuthEnabled: true
 });

backend/src/services/org/org-service.ts

@@ -110,8 +110,8 @@ type TOrgServiceFactoryDep = {
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "insertMany" | "findLatestProjectKey" | "create">;
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOrgMembershipById" | "findOne" | "findById">;
   incidentContactDAL: TIncidentContactsDALFactory;
-  samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne" | "findEnforceableSamlCfg">;
-  oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne" | "findEnforceableOidcCfg">;
+  samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne">;
+  oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne">;
   smtpService: TSmtpService;
   tokenService: TAuthTokenServiceFactory;
   permissionService: TPermissionServiceFactory;
@@ -349,7 +349,8 @@ export const orgServiceFactory = ({
       defaultMembershipRoleSlug,
       enforceMfa,
       selectedMfaMethod,
-      allowSecretSharingOutsideOrganization
+      allowSecretSharingOutsideOrganization,
+      bypassOrgAuthEnabled
     }
   }: TUpdateOrgDTO) => {
     const appCfg = getConfig();
@@ -402,13 +403,33 @@ export const orgServiceFactory = ({
     }
 
     if (authEnforced) {
-      const samlCfg = await samlConfigDAL.findEnforceableSamlCfg(orgId);
-      const oidcCfg = await oidcConfigDAL.findEnforceableOidcCfg(orgId);
+      const samlCfg = await samlConfigDAL.findOne({
+        orgId,
+        isActive: true
+      });
+      const oidcCfg = await oidcConfigDAL.findOne({
+        orgId,
+        isActive: true
+      });
 
       if (!samlCfg && !oidcCfg)
         throw new NotFoundError({
           message: `SAML or OIDC configuration for organization with ID '${orgId}' not found`
         });
+
+      if (samlCfg && !samlCfg.lastUsed) {
+        throw new BadRequestError({
+          message:
+            "To apply the new SAML auth enforcement, please log in via SAML at least once. This step is required to enforce SAML-based authentication."
+        });
+      }
+
+      if (oidcCfg && !oidcCfg.lastUsed) {
+        throw new BadRequestError({
+          message:
+            "To apply the new OIDC auth enforcement, please log in via OIDC at least once. This step is required to enforce OIDC-based authentication."
+        });
+      }
     }
 
     let defaultMembershipRole: string | undefined;
@@ -429,7 +450,8 @@ export const orgServiceFactory = ({
       defaultMembershipRole,
       enforceMfa,
       selectedMfaMethod,
-      allowSecretSharingOutsideOrganization
+      allowSecretSharingOutsideOrganization,
+      bypassOrgAuthEnabled
     });
     if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
     return org;

backend/src/services/org/org-types.ts

@@ -73,6 +73,7 @@ export type TUpdateOrgDTO = {
     enforceMfa: boolean;
     selectedMfaMethod: MfaMethod;
     allowSecretSharingOutsideOrganization: boolean;
+    bypassOrgAuthEnabled: boolean;
   }>;
 } & TOrgPermission;
 

backend/src/services/project/project-service.ts

@@ -86,6 +86,7 @@ import {
   TProjectAccessRequestDTO,
   TSearchProjectsDTO,
   TToggleProjectAutoCapitalizationDTO,
+  TToggleProjectDeleteProtectionDTO,
   TUpdateAuditLogsRetentionDTO,
   TUpdateProjectDTO,
   TUpdateProjectKmsDTO,
@@ -482,6 +483,12 @@ export const projectServiceFactory = ({
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
 
+    if (project.hasDeleteProtection) {
+      throw new ForbiddenRequestError({
+        message: "Project delete protection is enabled"
+      });
+    }
+
     const deletedProject = await projectDAL.transaction(async (tx) => {
       // delete these so that project custom roles can be deleted in cascade effect
       // direct deletion of project without these will cause fk error
@@ -616,6 +623,7 @@ export const projectServiceFactory = ({
       description: update.description,
       autoCapitalization: update.autoCapitalization,
       enforceCapitalization: update.autoCapitalization,
+      hasDeleteProtection: update.hasDeleteProtection,
       slug: update.slug
     });
 
@@ -648,6 +656,29 @@ export const projectServiceFactory = ({
     return updatedProject;
   };
 
+  const toggleDeleteProtection = async ({
+    projectId,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    hasDeleteProtection
+  }: TToggleProjectDeleteProtectionDTO) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
+
+    const updatedProject = await projectDAL.updateById(projectId, { hasDeleteProtection });
+
+    return updatedProject;
+  };
+
   const updateVersionLimit = async ({
     actor,
     actorId,
@@ -1499,6 +1530,7 @@ export const projectServiceFactory = ({
     getProjectUpgradeStatus,
     getAProject,
     toggleAutoCapitalization,
+    toggleDeleteProtection,
     updateName,
     upgradeProject,
     listProjectCas,

backend/src/services/project/project-types.ts

@@ -66,6 +66,10 @@ export type TToggleProjectAutoCapitalizationDTO = {
   autoCapitalization: boolean;
 } & TProjectPermission;
 
+export type TToggleProjectDeleteProtectionDTO = {
+  hasDeleteProtection: boolean;
+} & TProjectPermission;
+
 export type TUpdateProjectVersionLimitDTO = {
   pitVersionLimit: number;
   workspaceSlug: string;
@@ -86,6 +90,7 @@ export type TUpdateProjectDTO = {
     name?: string;
     description?: string;
     autoCapitalization?: boolean;
+    hasDeleteProtection?: boolean;
     slug?: string;
   };
 } & Omit<TProjectPermission, "projectId">;

backend/src/services/resource-cleanup/resource-cleanup-queue.ts

@@ -10,6 +10,7 @@ import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
 import { TSecretFolderVersionDALFactory } from "../secret-folder/secret-folder-version-dal";
 import { TSecretSharingDALFactory } from "../secret-sharing/secret-sharing-dal";
 import { TSecretVersionV2DALFactory } from "../secret-v2-bridge/secret-version-dal";
+import { TServiceTokenServiceFactory } from "../service-token/service-token-service";
 
 type TDailyResourceCleanUpQueueServiceFactoryDep = {
   auditLogDAL: Pick<TAuditLogDALFactory, "pruneAuditLog">;
@@ -21,6 +22,7 @@ type TDailyResourceCleanUpQueueServiceFactoryDep = {
   secretFolderVersionDAL: Pick<TSecretFolderVersionDALFactory, "pruneExcessVersions">;
   snapshotDAL: Pick<TSnapshotDALFactory, "pruneExcessSnapshots">;
   secretSharingDAL: Pick<TSecretSharingDALFactory, "pruneExpiredSharedSecrets" | "pruneExpiredSecretRequests">;
+  serviceTokenService: Pick<TServiceTokenServiceFactory, "notifyExpiringTokens">;
   queueService: TQueueServiceFactory;
 };
 
@@ -36,7 +38,8 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
   identityAccessTokenDAL,
   secretSharingDAL,
   secretVersionV2DAL,
-  identityUniversalAuthClientSecretDAL
+  identityUniversalAuthClientSecretDAL,
+  serviceTokenService
 }: TDailyResourceCleanUpQueueServiceFactoryDep) => {
   queueService.start(QueueName.DailyResourceCleanUp, async () => {
     logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
@@ -50,6 +53,7 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
     await secretVersionDAL.pruneExcessVersions();
     await secretVersionV2DAL.pruneExcessVersions();
     await secretFolderVersionDAL.pruneExcessVersions();
+    await serviceTokenService.notifyExpiringTokens();
     logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
   });
 

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -9,7 +9,8 @@ export enum SecretSync {
   Humanitec = "humanitec",
   TerraformCloud = "terraform-cloud",
   Camunda = "camunda",
-  Vercel = "vercel"
+  Vercel = "vercel",
+  Windmill = "windmill"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -29,6 +29,7 @@ import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
 import { HumanitecSyncFns } from "./humanitec/humanitec-sync-fns";
 import { TERRAFORM_CLOUD_SYNC_LIST_OPTION, TerraformCloudSyncFns } from "./terraform-cloud";
 import { VERCEL_SYNC_LIST_OPTION, VercelSyncFns } from "./vercel";
+import { WINDMILL_SYNC_LIST_OPTION, WindmillSyncFns } from "./windmill";
 
 const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
@@ -41,7 +42,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.Humanitec]: HUMANITEC_SYNC_LIST_OPTION,
   [SecretSync.TerraformCloud]: TERRAFORM_CLOUD_SYNC_LIST_OPTION,
   [SecretSync.Camunda]: CAMUNDA_SYNC_LIST_OPTION,
-  [SecretSync.Vercel]: VERCEL_SYNC_LIST_OPTION
+  [SecretSync.Vercel]: VERCEL_SYNC_LIST_OPTION,
+  [SecretSync.Windmill]: WINDMILL_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -136,6 +138,8 @@ export const SecretSyncFns = {
         }).syncSecrets(secretSync, secretMap);
       case SecretSync.Vercel:
         return VercelSyncFns.syncSecrets(secretSync, secretMap);
+      case SecretSync.Windmill:
+        return WindmillSyncFns.syncSecrets(secretSync, secretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -192,6 +196,9 @@ export const SecretSyncFns = {
       case SecretSync.Vercel:
         secretMap = await VercelSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.Windmill:
+        secretMap = await WindmillSyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -243,6 +250,8 @@ export const SecretSyncFns = {
         }).removeSecrets(secretSync, secretMap);
       case SecretSync.Vercel:
         return VercelSyncFns.removeSecrets(secretSync, secretMap);
+      case SecretSync.Windmill:
+        return WindmillSyncFns.removeSecrets(secretSync, secretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -12,7 +12,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.Humanitec]: "Humanitec",
   [SecretSync.TerraformCloud]: "Terraform Cloud",
   [SecretSync.Camunda]: "Camunda",
-  [SecretSync.Vercel]: "Vercel"
+  [SecretSync.Vercel]: "Vercel",
+  [SecretSync.Windmill]: "Windmill"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@@ -26,5 +27,6 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.Humanitec]: AppConnection.Humanitec,
   [SecretSync.TerraformCloud]: AppConnection.TerraformCloud,
   [SecretSync.Camunda]: AppConnection.Camunda,
-  [SecretSync.Vercel]: AppConnection.Vercel
+  [SecretSync.Vercel]: AppConnection.Vercel,
+  [SecretSync.Windmill]: AppConnection.Windmill
 };

backend/src/services/secret-sync/secret-sync-queue.ts

@@ -76,6 +76,7 @@ type TSecretSyncQueueFactoryDep = {
     | "findBySecretKeys"
     | "bulkUpdate"
     | "deleteMany"
+    | "invalidateSecretCacheByProjectId"
   >;
   secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
   secretSyncDAL: Pick<TSecretSyncDALFactory, "findById" | "find" | "updateById" | "deleteById">;
@@ -382,6 +383,9 @@ export const secretSyncQueueFactory = ({
       });
     }
 
+    if (secretsToUpdate.length || secretsToCreate.length)
+      await secretV2BridgeDAL.invalidateSecretCacheByProjectId(projectId);
+
     return importedSecretMap;
   };
 

backend/src/services/secret-sync/secret-sync-types.ts

@@ -29,6 +29,12 @@ import {
 } from "@app/services/secret-sync/github";
 import { TSecretSyncDALFactory } from "@app/services/secret-sync/secret-sync-dal";
 import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  TWindmillSync,
+  TWindmillSyncInput,
+  TWindmillSyncListItem,
+  TWindmillSyncWithCredentials
+} from "@app/services/secret-sync/windmill";
 
 import {
   TAwsParameterStoreSync,
@@ -74,7 +80,8 @@ export type TSecretSync =
   | THumanitecSync
   | TTerraformCloudSync
   | TCamundaSync
-  | TVercelSync;
+  | TVercelSync
+  | TWindmillSync;
 
 export type TSecretSyncWithCredentials =
   | TAwsParameterStoreSyncWithCredentials
@@ -87,7 +94,8 @@ export type TSecretSyncWithCredentials =
   | THumanitecSyncWithCredentials
   | TTerraformCloudSyncWithCredentials
   | TCamundaSyncWithCredentials
-  | TVercelSyncWithCredentials;
+  | TVercelSyncWithCredentials
+  | TWindmillSyncWithCredentials;
 
 export type TSecretSyncInput =
   | TAwsParameterStoreSyncInput
@@ -100,7 +108,8 @@ export type TSecretSyncInput =
   | THumanitecSyncInput
   | TTerraformCloudSyncInput
   | TCamundaSyncInput
-  | TVercelSyncInput;
+  | TVercelSyncInput
+  | TWindmillSyncInput;
 
 export type TSecretSyncListItem =
   | TAwsParameterStoreSyncListItem
@@ -113,7 +122,8 @@ export type TSecretSyncListItem =
   | THumanitecSyncListItem
   | TTerraformCloudSyncListItem
   | TCamundaSyncListItem
-  | TVercelSyncListItem;
+  | TVercelSyncListItem
+  | TWindmillSyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

backend/src/services/secret-sync/windmill/index.ts

@@ -0,0 +1,4 @@
+export * from "./windmill-sync-constants";
+export * from "./windmill-sync-fns";
+export * from "./windmill-sync-schemas";
+export * from "./windmill-sync-types";

backend/src/services/secret-sync/windmill/windmill-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const WINDMILL_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Windmill",
+  destination: SecretSync.Windmill,
+  connection: AppConnection.Windmill,
+  canImportSecrets: true
+};

backend/src/services/secret-sync/windmill/windmill-sync-fns.ts

@@ -0,0 +1,241 @@
+import { request } from "@app/lib/config/request";
+import { getWindmillInstanceUrl } from "@app/services/app-connection/windmill";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import {
+  TDeleteWindmillVariable,
+  TPostWindmillVariable,
+  TWindmillListVariables,
+  TWindmillListVariablesResponse,
+  TWindmillSyncWithCredentials,
+  TWindmillVariable
+} from "@app/services/secret-sync/windmill/windmill-sync-types";
+
+import { TSecretMap } from "../secret-sync-types";
+
+const PAGE_LIMIT = 100;
+
+const listWindmillVariables = async ({ instanceUrl, workspace, accessToken, path }: TWindmillListVariables) => {
+  const variables: Record<string, TWindmillVariable> = {};
+
+  // windmill paginates but doesn't return if there's more pages so we need to check if page size full
+  let page: number | null = 1;
+
+  while (page) {
+    // eslint-disable-next-line no-await-in-loop
+    const { data: variablesPage } = await request.get<TWindmillListVariablesResponse>(
+      `${instanceUrl}/api/w/${workspace}/variables/list`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        },
+        params: {
+          page,
+          limit: PAGE_LIMIT,
+          path_start: path
+        }
+      }
+    );
+
+    for (const variable of variablesPage) {
+      const variableName = variable.path.replace(path, "");
+
+      if (variable.is_secret) {
+        // eslint-disable-next-line no-await-in-loop
+        const { data: variableValue } = await request.get<string>(
+          `${instanceUrl}/api/w/${workspace}/variables/get_value/${variable.path}`,
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`
+            }
+          }
+        );
+
+        variables[variableName] = {
+          ...variable,
+          value: variableValue
+        };
+      } else {
+        variables[variableName] = variable;
+      }
+    }
+
+    if (variablesPage.length >= PAGE_LIMIT) {
+      page += 1;
+    } else {
+      page = null;
+    }
+  }
+
+  return variables;
+};
+
+const createWindmillVariable = async ({
+  path,
+  value,
+  instanceUrl,
+  accessToken,
+  workspace,
+  description
+}: TPostWindmillVariable) =>
+  request.post(
+    `${instanceUrl}/api/w/${workspace}/variables/create`,
+    {
+      path,
+      value,
+      is_secret: true,
+      description
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+
+const updateWindmillVariable = async ({
+  path,
+  value,
+  instanceUrl,
+  accessToken,
+  workspace,
+  description
+}: TPostWindmillVariable) =>
+  request.post(
+    `${instanceUrl}/api/w/${workspace}/variables/update/${path}`,
+    {
+      value,
+      is_secret: true,
+      description
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json"
+      }
+    }
+  );
+
+const deleteWindmillVariable = async ({ path, instanceUrl, accessToken, workspace }: TDeleteWindmillVariable) =>
+  request.delete(`${instanceUrl}/api/w/${workspace}/variables/delete/${path}`, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+
+export const WindmillSyncFns = {
+  syncSecrets: async (secretSync: TWindmillSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection,
+      destinationConfig: { path },
+      syncOptions: { disableSecretDeletion }
+    } = secretSync;
+
+    // url needs to be lowercase
+    const workspace = secretSync.destinationConfig.workspace.toLowerCase();
+
+    const instanceUrl = await getWindmillInstanceUrl(connection);
+
+    const { accessToken } = connection.credentials;
+
+    const variables = await listWindmillVariables({ instanceUrl, accessToken, workspace, path });
+
+    for await (const entry of Object.entries(secretMap)) {
+      const [key, { value, comment = "" }] = entry;
+
+      try {
+        const payload = {
+          instanceUrl,
+          workspace,
+          path: path + key,
+          value,
+          accessToken,
+          description: comment
+        };
+        if (key in variables) {
+          if (variables[key].value !== value || variables[key].description !== comment)
+            await updateWindmillVariable(payload);
+        } else {
+          await createWindmillVariable(payload);
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+
+    if (disableSecretDeletion) return;
+
+    for await (const [key, variable] of Object.entries(variables)) {
+      if (!(key in secretMap)) {
+        try {
+          await deleteWindmillVariable({
+            instanceUrl,
+            workspace,
+            path: variable.path,
+            accessToken
+          });
+        } catch (error) {
+          throw new SecretSyncError({
+            error,
+            secretKey: key
+          });
+        }
+      }
+    }
+  },
+  removeSecrets: async (secretSync: TWindmillSyncWithCredentials, secretMap: TSecretMap) => {
+    const {
+      connection,
+      destinationConfig: { path }
+    } = secretSync;
+
+    // url needs to be lowercase
+    const workspace = secretSync.destinationConfig.workspace.toLowerCase();
+
+    const instanceUrl = await getWindmillInstanceUrl(connection);
+
+    const { accessToken } = connection.credentials;
+
+    const variables = await listWindmillVariables({ instanceUrl, accessToken, workspace, path });
+
+    for await (const [key, variable] of Object.entries(variables)) {
+      if (key in secretMap) {
+        try {
+          await deleteWindmillVariable({
+            path: variable.path,
+            instanceUrl,
+            workspace,
+            accessToken
+          });
+        } catch (error) {
+          throw new SecretSyncError({
+            error,
+            secretKey: key
+          });
+        }
+      }
+    }
+  },
+  getSecrets: async (secretSync: TWindmillSyncWithCredentials) => {
+    const {
+      connection,
+      destinationConfig: { path }
+    } = secretSync;
+
+    // url needs to be lowercase
+    const workspace = secretSync.destinationConfig.workspace.toLowerCase();
+
+    const instanceUrl = await getWindmillInstanceUrl(connection);
+
+    const { accessToken } = connection.credentials;
+
+    const variables = await listWindmillVariables({ instanceUrl, accessToken, workspace, path });
+
+    return Object.fromEntries(
+      Object.entries(variables).map(([key, variable]) => [key, { value: variable.value ?? "" }])
+    );
+  }
+};

backend/src/services/secret-sync/windmill/windmill-sync-schemas.ts

@@ -0,0 +1,66 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const pathCharacterValidator = characterValidator([
+  CharacterType.AlphaNumeric,
+  CharacterType.Underscore,
+  CharacterType.Hyphen
+]);
+
+const WindmillSyncDestinationConfigSchema = z.object({
+  workspace: z.string().trim().min(1, "Workspace required").describe(SecretSyncs.DESTINATION_CONFIG.WINDMILL.workspace),
+  path: z
+    .string()
+    .trim()
+    .min(1, "Path required")
+    .refine(
+      (val) =>
+        (val.startsWith("u/") || val.startsWith("f/")) &&
+        val.endsWith("/") &&
+        val.split("/").length >= 3 &&
+        val
+          .split("/")
+          .slice(0, -1) // Remove last empty segment from trailing slash
+          .every((segment) => segment && pathCharacterValidator(segment)),
+      'Invalid path - must follow Windmill path format. ex: "f/folder/path/"'
+    )
+    .describe(SecretSyncs.DESTINATION_CONFIG.WINDMILL.path)
+});
+
+const WindmillSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const WindmillSyncSchema = BaseSecretSyncSchema(SecretSync.Windmill, WindmillSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Windmill),
+  destinationConfig: WindmillSyncDestinationConfigSchema
+});
+
+export const CreateWindmillSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Windmill,
+  WindmillSyncOptionsConfig
+).extend({
+  destinationConfig: WindmillSyncDestinationConfigSchema
+});
+
+export const UpdateWindmillSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Windmill,
+  WindmillSyncOptionsConfig
+).extend({
+  destinationConfig: WindmillSyncDestinationConfigSchema.optional()
+});
+
+export const WindmillSyncListItemSchema = z.object({
+  name: z.literal("Windmill"),
+  connection: z.literal(AppConnection.Windmill),
+  destination: z.literal(SecretSync.Windmill),
+  canImportSecrets: z.literal(true)
+});

backend/src/services/secret-sync/windmill/windmill-sync-types.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+
+import { TWindmillConnection } from "@app/services/app-connection/windmill";
+
+import { CreateWindmillSyncSchema, WindmillSyncListItemSchema, WindmillSyncSchema } from "./windmill-sync-schemas";
+
+export type TWindmillSync = z.infer<typeof WindmillSyncSchema>;
+
+export type TWindmillSyncInput = z.infer<typeof CreateWindmillSyncSchema>;
+
+export type TWindmillSyncListItem = z.infer<typeof WindmillSyncListItemSchema>;
+
+export type TWindmillSyncWithCredentials = TWindmillSync & {
+  connection: TWindmillConnection;
+};
+
+export type TWindmillVariable = {
+  path: string;
+  value: string;
+  is_secret: boolean;
+  is_oauth: boolean;
+  description: string;
+};
+
+export type TWindmillListVariablesResponse = TWindmillVariable[];
+
+export type TWindmillListVariables = {
+  accessToken: string;
+  instanceUrl: string;
+  path: string;
+  workspace: string;
+  description?: string;
+};
+
+export type TPostWindmillVariable = TWindmillListVariables & {
+  value: string;
+};
+
+export type TDeleteWindmillVariable = TWindmillListVariables;

backend/src/services/service-token/service-token-dal.ts

@@ -28,5 +28,36 @@ export const serviceTokenDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...stOrm, findById };
+  const findExpiringTokens = async (tx?: Knex, batchSize = 500, offset = 0) => {
+    try {
+      const batch: { name: string; projectName: string; createdByEmail: string; id: string; projectId: string }[] =
+        await (tx || db.replicaNode())(TableName.ServiceToken)
+          .leftJoin<TUsers>(
+            TableName.Users,
+            `${TableName.Users}.id`,
+            db.raw(`${TableName.ServiceToken}."createdBy"::uuid`)
+          )
+          .join(TableName.Project, `${TableName.Project}.id`, `${TableName.ServiceToken}.projectId`)
+          .whereRaw(
+            `${TableName.ServiceToken}."expiresAt" < NOW() + INTERVAL '1 day' AND ${TableName.ServiceToken}."expiryNotificationSent" = false`
+          )
+          .whereNotNull(`${TableName.Users}.email`)
+          .select(
+            db.ref("id").withSchema(TableName.ServiceToken),
+            db.ref("name").withSchema(TableName.ServiceToken),
+            db.ref("projectId").withSchema(TableName.ServiceToken),
+            db.ref("createdBy").withSchema(TableName.ServiceToken),
+            db.ref("email").withSchema(TableName.Users).as("createdByEmail"),
+            db.ref("name").withSchema(TableName.Project).as("projectName")
+          )
+          .limit(batchSize)
+          .offset(offset);
+
+      return batch;
+    } catch (err) {
+      throw new DatabaseError({ error: err, name: "FindExpiredTokens" });
+    }
+  };
+
+  return { ...stOrm, findById, findExpiringTokens };
 };

backend/src/services/service-token/service-token-service.ts

@@ -12,11 +12,13 @@ import {
 } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
 import { ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 
 import { TAccessTokenQueueServiceFactory } from "../access-token-queue/access-token-queue";
 import { ActorType } from "../auth/auth-type";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
+import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TServiceTokenDALFactory } from "./service-token-dal";
 import {
@@ -33,6 +35,7 @@ type TServiceTokenServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findBySlugs">;
   projectDAL: Pick<TProjectDALFactory, "findById">;
   accessTokenQueue: Pick<TAccessTokenQueueServiceFactory, "updateServiceTokenStatus">;
+  smtpService: Pick<TSmtpService, "sendMail">;
 };
 
 export type TServiceTokenServiceFactory = ReturnType<typeof serviceTokenServiceFactory>;
@@ -43,7 +46,8 @@ export const serviceTokenServiceFactory = ({
   permissionService,
   projectEnvDAL,
   projectDAL,
-  accessTokenQueue
+  accessTokenQueue,
+  smtpService
 }: TServiceTokenServiceFactoryDep) => {
   const createServiceToken = async ({
     iv,
@@ -185,11 +189,56 @@ export const serviceTokenServiceFactory = ({
     return { ...serviceToken, lastUsed: new Date(), orgId: project.orgId };
   };
 
+  const notifyExpiringTokens = async () => {
+    const appCfg = getConfig();
+    let processedCount = 0;
+    let hasMoreRecords = true;
+    let offset = 0;
+    const batchSize = 500;
+
+    while (hasMoreRecords) {
+      // eslint-disable-next-line no-await-in-loop
+      const expiringTokens = await serviceTokenDAL.findExpiringTokens(undefined, batchSize, offset);
+
+      if (expiringTokens.length === 0) {
+        hasMoreRecords = false;
+        break;
+      }
+
+      // eslint-disable-next-line no-await-in-loop
+      await Promise.all(
+        expiringTokens.map(async (token) => {
+          try {
+            await smtpService.sendMail({
+              recipients: [token.createdByEmail],
+              subjectLine: "Service Token Expiry Notice",
+              template: SmtpTemplates.ServiceTokenExpired,
+              substitutions: {
+                tokenName: token.name,
+                projectName: token.projectName,
+                url: `${appCfg.SITE_URL}/secret-manager/${token.projectId}/access-management?selectedTab=service-tokens`
+              }
+            });
+            await serviceTokenDAL.update({ id: token.id }, { expiryNotificationSent: true });
+          } catch (error) {
+            logger.error(error, `Failed to send expiration notification for token ${token.id}:`);
+          }
+        })
+      );
+
+      processedCount += expiringTokens.length;
+      offset += batchSize;
+    }
+
+    return processedCount;
+  };
+
   return {
     createServiceToken,
     deleteServiceToken,
     getServiceToken,
     getProjectServiceTokens,
-    fnValidateServiceToken
+    fnValidateServiceToken,
+    notifyExpiringTokens
   };
 };

backend/src/services/smtp/smtp-service.ts

@@ -43,7 +43,8 @@ export enum SmtpTemplates {
   SecretRequestCompleted = "secretRequestCompleted.handlebars",
   SecretRotationFailed = "secretRotationFailed.handlebars",
   ProjectAccessRequest = "projectAccess.handlebars",
-  OrgAdminProjectDirectAccess = "orgAdminProjectGrantAccess.handlebars"
+  OrgAdminProjectDirectAccess = "orgAdminProjectGrantAccess.handlebars",
+  ServiceTokenExpired = "serviceTokenExpired.handlebars"
 }
 
 export enum SmtpHost {

backend/src/services/smtp/templates/serviceTokenExpired.handlebars

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Service Token Expiring Soon</title>
+  </head>
+
+  <body>
+    <h2>Service Token Expiry Notice</h2>
+    <p>Your service token <strong>"{{tokenName}}"</strong> will expire within 24 hours.</p>
+    
+    <p>This token is currently being used on project "{{projectName}}". If this token is still needed for your workflow, please create a new one before it expires.</p>
+    
+    <a href="{{url}}">Create New Token</a>
+    
+    {{emailFooter}}
+  </body>
+</html>

docs/api-reference/endpoints/app-connections/auth0/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/auth0/available"
+---

docs/api-reference/endpoints/app-connections/auth0/create.mdx

@@ -0,0 +1,9 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/auth0"
+---
+
+<Note>
+    Check out the configuration docs for [Auth0 Connections](/integrations/app-connections/auth0) to learn how to obtain the
+    required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/auth0/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/auth0/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/auth0/get-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/auth0/{connectionId}"
+---

docs/api-reference/endpoints/app-connections/auth0/get-by-name.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/auth0/connection-name/{connectionName}"
+---

docs/api-reference/endpoints/app-connections/auth0/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/auth0"
+---

docs/api-reference/endpoints/app-connections/auth0/update.mdx

@@ -0,0 +1,9 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/auth0/{connectionId}"
+---
+
+<Note>
+    Check out the configuration docs for [Auth0 Connections](/integrations/app-connections/auth0) to learn how to obtain the
+    required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/windmill/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/windmill/available"
+---