Merge pull request #728 from JunedKhan101/feature-723-remove-trailing-slash

Implemented feature to remove the trailing slash from the domain url

.env.example

@@ -61,13 +61,6 @@ SENTRY_DSN=
 # Ignore - Not applicable for self-hosted version
 POSTHOG_HOST=
 POSTHOG_PROJECT_API_KEY=
-STRIPE_SECRET_KEY=
-STRIPE_PUBLISHABLE_KEY=
-STRIPE_WEBHOOK_SECRET=
-STRIPE_PRODUCT_STARTER=
-STRIPE_PRODUCT_TEAM=
-STRIPE_PRODUCT_PRO=
-NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
 
 CLIENT_ID_GOOGLE=
 CLIENT_SECRET_GOOGLE=

.github/values.yaml

@@ -1,3 +1,10 @@
+# secretScanningGitApp:
+#   enabled: false
+#   deploymentAnnotations:
+#     secrets.infisical.com/auto-reload: "true"
+#   image:
+#     repository: infisical/staging_deployment_secret-scanning-git-app
+    
 frontend:
   enabled: true
   name: frontend
@@ -6,7 +13,7 @@ frontend:
     secrets.infisical.com/auto-reload: "true"
   replicaCount: 2
   image:
-    repository: infisical/frontend
+    repository: infisical/staging_deployment_frontend
     tag: "latest"
     pullPolicy: Always
   kubeSecretRef: managed-secret-frontend
@@ -25,7 +32,7 @@ backend:
     secrets.infisical.com/auto-reload: "true"
   replicaCount: 2
   image:
-    repository: infisical/backend
+    repository: infisical/staging_deployment_backend
     tag: "latest"
     pullPolicy: Always
   kubeSecretRef: managed-backend-secret
@@ -51,8 +58,8 @@ mongodbConnection:
 
 ingress:
   enabled: true
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
+  # annotations:
+  #   kubernetes.io/ingress.class: "nginx"
     # cert-manager.io/issuer: letsencrypt-nginx
   hostName: gamma.infisical.com ## <- Replace with your own domain
   frontend:

.github/workflows/build-docker-image-to-prod.yml

@@ -0,0 +1,118 @@
+name: Release production images (frontend, backend)
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
+
+jobs:
+  backend-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: backend
+          tags: infisical/backend:test
+      - name: ⏻ Spawn backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      - name: 🧪 Test backend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-backend-test
+      - name: ⏻ Shut down backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: backend
+          tags: |
+            infisical/backend:${{ steps.commit.outputs.short }}
+            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+
+  frontend-image:
+    name: Build frontend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build frontend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          load: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          project: 64mmf0n610
+          context: frontend
+          tags: infisical/frontend:test
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+      - name: ⏻ Spawn frontend container
+        run: |
+          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+      - name: 🧪 Test frontend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-frontend-test
+      - name: ⏻ Shut down frontend container
+        run: |
+          docker stop infisical-frontend-test
+      - name: 🏗️ Build frontend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          push: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          context: frontend
+          tags: |
+            infisical/frontend:${{ steps.commit.outputs.short }}
+            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}

.github/workflows/build-staging-img.yml

@@ -1,17 +1,11 @@
 name: Build, Publish and Deploy to Gamma
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
+on: [workflow_dispatch]
 
 jobs:
   backend-image:
     name: Build backend image
     runs-on: ubuntu-latest
     steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - name: 📦 Install dependencies to test all dependencies
@@ -57,18 +51,14 @@ jobs:
           push: true
           context: backend
           tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
+            infisical/staging_deployment_backend:${{ steps.commit.outputs.short }}
+            infisical/staging_deployment_backend:latest
           platforms: linux/amd64,linux/arm64
 
   frontend-image:
     name: Build frontend image
     runs-on: ubuntu-latest
     steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - name: Save commit hashes for tag
@@ -90,12 +80,12 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           project: 64mmf0n610
           context: frontend
-          tags: infisical/frontend:test
+          tags: infisical/staging_deployment_frontend:test
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
       - name: ⏻ Spawn frontend container
         run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+          docker run -d --rm --name infisical-frontend-test infisical/staging_deployment_frontend:test
       - name: 🧪 Test frontend image
         run: |
           ./.github/resources/healthcheck.sh infisical-frontend-test
@@ -110,9 +100,8 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           context: frontend
           tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
+            infisical/staging_deployment_frontend:${{ steps.commit.outputs.short }}
+            infisical/staging_deployment_frontend:latest
           platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
@@ -146,7 +135,7 @@ jobs:
       - name: Download helm values to file and upgrade gamma deploy
         run: |
           wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
+          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --wait --install
           if [[ $(helm status infisical) == *"FAILED"* ]]; then
             echo "Helm upgrade failed"
             exit 1

.gitignore

@@ -2,6 +2,7 @@
 node_modules
 .env
 .env.dev
+.env.gamma
 .env.prod
 .env.infisical
 

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+	"workbench.editor.wrapTabs": true
+}

Dockerfile.standalone-infisical

@@ -25,6 +25,8 @@ ARG POSTHOG_HOST
 ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 
 # Build
 RUN npm run build
@@ -42,6 +44,9 @@ VOLUME /app/.next/cache/images
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
   BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 
 COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public

README.md

@@ -3,17 +3,26 @@
   <img width="300" src="/img/logoname-white.svg#gh-dark-mode-only" alt="infisical">
 </h1>
 <p align="center">
-  <p align="center">Open-source, end-to-end encrypted platform to manage secrets and configs across your team and infrastructure.</p>
+  <p align="center"><b>Open-source, end-to-end encrypted secret management platform</b>: distribute secrets/configs across your team/infrastructure and prevent secret leaks.</p>
 </p>
 
 <h4 align="center">
-  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">Slack</a> |
+  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1ye0tm8ab-899qZ6ZbpfESuo6TEikyOQ">Slack</a> |
   <a href="https://infisical.com/">Infisical Cloud</a> |
   <a href="https://infisical.com/docs/self-hosting/overview">Self-Hosting</a> |
   <a href="https://infisical.com/docs/documentation/getting-started/introduction">Docs</a> |
   <a href="https://www.infisical.com">Website</a>
 </h4>
 
+<p align="center">
+  <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2">
+    <img src=".github/images/deploy-to-aws.png" width="137" />
+  </a>
+  <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean">
+     <img width="200" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/>
+  </a>
+</p>
+
 <h4 align="center">
   <a href="https://github.com/Infisical/infisical/blob/main/LICENSE">
     <img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="Infisical is released under the MIT license." />
@@ -25,7 +34,7 @@
     <img src="https://img.shields.io/github/commit-activity/m/infisical/infisical" alt="git commit activity" />
   </a>
   <a href="https://cloudsmith.io/~infisical/repos/">
-    <img src="https://img.shields.io/badge/Downloads-240.2k-orange" alt="Cloudsmith downloads" />
+    <img src="https://img.shields.io/badge/Downloads-395.8k-orange" alt="Cloudsmith downloads" />
   </a>
   <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">
     <img src="https://img.shields.io/badge/chat-on%20Slack-blueviolet" alt="Slack community channel" />
@@ -54,24 +63,18 @@ We're on a mission to make secret management more accessible to everyone, not ju
 -   **[Secret versioning](https://infisical.com/docs/documentation/platform/secret-versioning)** and **[Point-in-Time Recovery]()** to version every secret and project state
 -   **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)** to record every action taken in a project
 -   **Role-based Access Controls** per environment
--   [**Simple on-premise deployments** to AWS and Digital Ocean](https://infisical.com/docs/self-hosting/overview)
--   [**Secret Scanning**](https://infisical.com/docs/cli/scanning-overview)
+-   [**Simple on-premise deployments** to AWS, Digital Ocean, and more](https://infisical.com/docs/self-hosting/overview)
+-   [**Secret Scanning and Leak Prevention**](https://infisical.com/docs/cli/scanning-overview)
 
 And much more.
 
 ## Getting started
 
-Check out the [Quickstart](https://infisical.com/docs/getting-started/introduction) Guides
+Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/introduction)
 
-### Use Infisical Cloud
-
-The fastest and most reliable way to get started with Infisical is signing up for free to [Infisical Cloud](https://app.infisical.com/login).
-
-### Deploy Infisical on premise
-
-<a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace"><img src=".github/images/do-k8-install-btn.png" width="200"/></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-aws-button.png" width="150" width="300" /></a>
-
-View all [deployment options](https://infisical.com/docs/self-hosting/overview)
+| Use Infisical Cloud | Deploy Infisical on premise |
+| --- | ----------- |
+| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-to-aws.png" width="150" width="300" /></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean"> <img width="217" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/> </a> <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
 
 ### Run Infisical locally
 
@@ -92,7 +95,7 @@ git clone https://github.com/Infisical/infisical && cd infisical && copy .env.ex
 Create an account at `http://localhost:80`
 
 ### Scan and prevent secret leaks 
-On top managing secrets with Infisical, you can also scan for over 140+ secret types in your files, directories and git repositories. 
+On top managing secrets with Infisical, you can also [scan for over 140+ secret types]() in your files, directories and git repositories. 
 
 To scan your full git history, run:
 
@@ -111,7 +114,11 @@ Lean about Infisical's code scanning feature [here](https://infisical.com/docs/c
 
 ## Open-source vs. paid
 
-This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license in the future. 
+This repo available under the [MIT expat license](https://github.com/Infisical/infisical/blob/main/LICENSE), with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license. 
+
+If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at [our webiste](https://infisical.com/) or [book a meeting with us](https://cal.com/vmatsiiako/infisical-demo): 
+
+<a href="https://cal.com/vmatsiiako/infisical-demo"><img alt="Schedule a meeting" src="https://cal.com/book-with-cal-dark.svg" /></a>
 
 ## Security
 
@@ -127,7 +134,7 @@ Whether it's big or small, we love contributions. Check out our guide to see how
 
 Not sure where to get started? You can:
 
--   [Book a free, non-pressure pairing sessions with one of our teammates](mailto:tony@infisical.com?subject=Pairing%20session&body=I'd%20like%20to%20do%20a%20pairing%20session!)!
+-   [Book a free, non-pressure pairing session / code walkthrough with one of our teammates](https://cal.com/tony-infisical/30-min-meeting-contributing)!
 -   Join our <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">Slack</a>, and ask us any questions there.
 
 ## Resources
@@ -136,7 +143,7 @@ Not sure where to get started? You can:
 - [Slack](https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg) for discussion with the community and Infisical team.
 - [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
 - [Twitter](https://twitter.com/infisical) for fast news
-- [YouTube](https://www.youtube.com/@infisical5306) for videos on secret management
+- [YouTube](https://www.youtube.com/@infisical_od) for videos on secret management
 - [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
 - [Roadmap](https://www.notion.so/infisical/be2d2585a6694e40889b03aef96ea36b?v=5b19a8127d1a4060b54769567a8785fa) for planned features
 

backend/.eslintrc

@@ -1,12 +1,44 @@
 {
   "parser": "@typescript-eslint/parser",
-  "plugins": ["@typescript-eslint"],
+  "plugins": [
+    "@typescript-eslint",
+    "unused-imports"
+  ],
   "extends": [
     "eslint:recommended",
     "plugin:@typescript-eslint/eslint-recommended",
     "plugin:@typescript-eslint/recommended"
   ],
   "rules": {
-    "no-console": 2
+    "@typescript-eslint/no-empty-function": "off",
+    "no-console": 2,
+    "quotes": [
+      "error",
+      "double",
+      {
+        "avoidEscape": true
+      }
+    ],
+    "comma-dangle": [
+      "error",
+      "only-multiline"
+    ],
+    "@typescript-eslint/no-unused-vars": "off",
+    "unused-imports/no-unused-imports": "error",
+    "unused-imports/no-unused-vars": [
+      "warn",
+      {
+        "vars": "all",
+        "varsIgnorePattern": "^_",
+        "args": "after-used",
+        "argsIgnorePattern": "^_"
+      }
+    ],
+    "sort-imports": [
+      "error",
+      {
+        "ignoreDeclarationSort": true
+      }
+    ]
   }
-}
+}

backend/.prettierrc

@@ -0,0 +1,7 @@
+{
+  "singleQuote": false,
+  "printWidth": 100,
+  "trailingComma": "none",
+  "tabWidth": 2,
+  "semi": true
+}

backend/environment.d.ts

@@ -14,7 +14,7 @@ declare global {
 			JWT_SIGNUP_LIFETIME: string;
 			JWT_SIGNUP_SECRET: string;
       MONGO_URL: string;
-      NODE_ENV: 'development' | 'staging' | 'testing' | 'production';
+      NODE_ENV: "development" | "staging" | "testing" | "production";
       VERBOSE_ERROR_OUTPUT: string;
       LOKI_HOST: string;
       CLIENT_ID_HEROKU: string;
@@ -39,12 +39,6 @@ declare global {
       SMTP_PASSWORD: string;
       SMTP_FROM_ADDRESS: string;
       SMTP_FROM_NAME: string;
-      STRIPE_PRODUCT_STARTER: string;
-      STRIPE_PRODUCT_TEAM: string;
-      STRIPE_PRODUCT_PRO: string;
-      STRIPE_PUBLISHABLE_KEY: string;
-      STRIPE_SECRET_KEY: string;
-      STRIPE_WEBHOOK_SECRET: string;
       TELEMETRY_ENABLED: string;
       LICENSE_KEY: string;
     }

backend/jest.config.ts

@@ -1,9 +1,9 @@
 export default {
-  preset: 'ts-jest',
-  testEnvironment: 'node',
-  collectCoverageFrom: ['src/*.{js,ts}', '!**/node_modules/**'],
-  modulePaths: ['<rootDir>/src'],
-  testMatch: ['<rootDir>/tests/**/*.test.ts'],
-  setupFiles: ['<rootDir>/test-resources/env-vars.js'],
-  setupFilesAfterEnv: ['<rootDir>/tests/setupTests.ts']
+  preset: "ts-jest",
+  testEnvironment: "node",
+  collectCoverageFrom: ["src/*.{js,ts}", "!**/node_modules/**"],
+  modulePaths: ["<rootDir>/src"],
+  testMatch: ["<rootDir>/tests/**/*.test.ts"],
+  setupFiles: ["<rootDir>/test-resources/env-vars.js"],
+  setupFilesAfterEnv: ["<rootDir>/tests/setupTests.ts"],
 };

backend/package.json

@@ -8,18 +8,17 @@
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
     "argon2": "^0.30.3",
-    "await-to-js": "^3.0.0",
     "aws-sdk": "^2.1364.0",
     "axios": "^1.3.5",
     "axios-retry": "^3.4.0",
     "bcrypt": "^5.1.0",
     "bigint-conversion": "^2.4.0",
-    "builder-pattern": "^2.2.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "crypto-js": "^4.1.1",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
+    "express-async-errors": "^3.1.1",
     "express-rate-limit": "^6.7.0",
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
@@ -31,17 +30,15 @@
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
     "mongoose": "^6.10.5",
-    "node-cache": "^5.1.2",
     "nanoid": "^3.3.6",
+    "node-cache": "^5.1.2",
     "nodemailer": "^6.8.0",
     "passport": "^0.6.0",
     "passport-google-oauth20": "^2.0.0",
     "posthog-node": "^2.6.0",
     "query-string": "^7.1.3",
     "rate-limit-mongo": "^2.3.2",
-    "request-ip": "^3.3.0",
     "rimraf": "^3.0.2",
-    "stripe": "^10.7.0",
     "swagger-autogen": "^2.22.0",
     "swagger-ui-express": "^4.6.2",
     "tweetnacl": "^1.0.3",
@@ -58,7 +55,7 @@
     "start": "node build/index.js",
     "dev": "nodemon",
     "swagger-autogen": "node ./swagger/index.ts",
-    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
     "lint-staged": "lint-staged",
@@ -92,6 +89,7 @@
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
     "@types/passport": "^1.0.12",
+    "@types/picomatch": "^2.3.0",
     "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
@@ -99,6 +97,7 @@
     "@typescript-eslint/parser": "^5.40.1",
     "cross-env": "^7.0.3",
     "eslint": "^8.26.0",
+    "eslint-plugin-unused-imports": "^2.0.0",
     "install": "^0.13.0",
     "jest": "^29.3.1",
     "jest-junit": "^15.0.0",

backend/src/config/index.ts

@@ -1,93 +1,85 @@
-import InfisicalClient from 'infisical-node';
+import InfisicalClient from "infisical-node";
 
 export const client = new InfisicalClient({
-  token: process.env.INFISICAL_TOKEN!
+  token: process.env.INFISICAL_TOKEN!,
 });
 
-export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
+export const getPort = async () => (await client.getSecret("PORT")).secretValue || 4000;
 export const getEncryptionKey = async () => {
-  const secretValue = (await client.getSecret('ENCRYPTION_KEY')).secretValue;
-  return secretValue === '' ? undefined : secretValue;
+  const secretValue = (await client.getSecret("ENCRYPTION_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
 }
 export const getRootEncryptionKey = async () => {
-  const secretValue = (await client.getSecret('ROOT_ENCRYPTION_KEY')).secretValue; 
-  return secretValue === '' ? undefined : secretValue;
+  const secretValue = (await client.getSecret("ROOT_ENCRYPTION_KEY")).secretValue; 
+  return secretValue === "" ? undefined : secretValue;
 }
-export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue === 'true'
-export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
-export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
-export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
-export const getJwtMfaLifetime = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
-export const getJwtMfaSecret = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
-export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_REFRESH_LIFETIME')).secretValue || '90d';
-export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
-export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
-export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
-export const getJwtProviderAuthSecret = async () => (await client.getSecret('JWT_PROVIDER_AUTH_SECRET')).secretValue;
-export const getJwtProviderAuthLifetime = async () => (await client.getSecret('JWT_PROVIDER_AUTH_LIFETIME')).secretValue || '15m';
-export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
-export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
-export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
-export const getVerboseErrorOutput = async () => (await client.getSecret('VERBOSE_ERROR_OUTPUT')).secretValue === 'true' && true;
-export const getLokiHost = async () => (await client.getSecret('LOKI_HOST')).secretValue;
-export const getClientIdAzure = async () => (await client.getSecret('CLIENT_ID_AZURE')).secretValue;
-export const getClientIdHeroku = async () => (await client.getSecret('CLIENT_ID_HEROKU')).secretValue;
-export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_VERCEL')).secretValue;
-export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
-export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
-export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
-export const getClientIdGoogle = async () => (await client.getSecret('CLIENT_ID_GOOGLE')).secretValue;
-export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
-export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
-export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
-export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
-export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
-export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
-export const getClientSecretGoogle = async () => (await client.getSecret('CLIENT_SECRET_GOOGLE')).secretValue;
-export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
-export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
-export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-export const getSentryDSN = async () => (await client.getSecret('SENTRY_DSN')).secretValue;
-export const getSiteURL = async () => (await client.getSecret('SITE_URL')).secretValue;
-export const getSmtpHost = async () => (await client.getSecret('SMTP_HOST')).secretValue;
-export const getSmtpSecure = async () => (await client.getSecret('SMTP_SECURE')).secretValue === 'true' || false;
-export const getSmtpPort = async () => parseInt((await client.getSecret('SMTP_PORT')).secretValue) || 587;
-export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAME')).secretValue;
-export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
-export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
-export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
+export const getInviteOnlySignup = async () => (await client.getSecret("INVITE_ONLY_SIGNUP")).secretValue === "true"
+export const getSaltRounds = async () => parseInt((await client.getSecret("SALT_ROUNDS")).secretValue) || 10;
+export const getJwtAuthLifetime = async () => (await client.getSecret("JWT_AUTH_LIFETIME")).secretValue || "10d";
+export const getJwtAuthSecret = async () => (await client.getSecret("JWT_AUTH_SECRET")).secretValue;
+export const getJwtMfaLifetime = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtMfaSecret = async () => (await client.getSecret("JWT_MFA_LIFETIME")).secretValue || "5m";
+export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_REFRESH_LIFETIME")).secretValue || "90d";
+export const getJwtRefreshSecret = async () => (await client.getSecret("JWT_REFRESH_SECRET")).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue;
+export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
+export const getJwtProviderAuthSecret = async () => (await client.getSecret("JWT_PROVIDER_AUTH_SECRET")).secretValue;
+export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
+export const getJwtSignupSecret = async () => (await client.getSecret("JWT_SIGNUP_SECRET")).secretValue;
+export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
+export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production";
+export const getVerboseErrorOutput = async () => (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
+export const getLokiHost = async () => (await client.getSecret("LOKI_HOST")).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret("CLIENT_ID_AZURE")).secretValue;
+export const getClientIdHeroku = async () => (await client.getSecret("CLIENT_ID_HEROKU")).secretValue;
+export const getClientIdVercel = async () => (await client.getSecret("CLIENT_ID_VERCEL")).secretValue;
+export const getClientIdNetlify = async () => (await client.getSecret("CLIENT_ID_NETLIFY")).secretValue;
+export const getClientIdGitHub = async () => (await client.getSecret("CLIENT_ID_GITHUB")).secretValue;
+export const getClientIdGitLab = async () => (await client.getSecret("CLIENT_ID_GITLAB")).secretValue;
+export const getClientIdGoogle = async () => (await client.getSecret("CLIENT_ID_GOOGLE")).secretValue;
+export const getClientSecretAzure = async () => (await client.getSecret("CLIENT_SECRET_AZURE")).secretValue;
+export const getClientSecretHeroku = async () => (await client.getSecret("CLIENT_SECRET_HEROKU")).secretValue;
+export const getClientSecretVercel = async () => (await client.getSecret("CLIENT_SECRET_VERCEL")).secretValue;
+export const getClientSecretNetlify = async () => (await client.getSecret("CLIENT_SECRET_NETLIFY")).secretValue;
+export const getClientSecretGitHub = async () => (await client.getSecret("CLIENT_SECRET_GITHUB")).secretValue;
+export const getClientSecretGitLab = async () => (await client.getSecret("CLIENT_SECRET_GITLAB")).secretValue;
+export const getClientSecretGoogle = async () => (await client.getSecret("CLIENT_SECRET_GOOGLE")).secretValue;
+export const getClientSlugVercel = async () => (await client.getSecret("CLIENT_SLUG_VERCEL")).secretValue;
+export const getPostHogHost = async () => (await client.getSecret("POSTHOG_HOST")).secretValue || "https://app.posthog.com";
+export const getPostHogProjectApiKey = async () => (await client.getSecret("POSTHOG_PROJECT_API_KEY")).secretValue || "phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE";
+export const getSentryDSN = async () => (await client.getSecret("SENTRY_DSN")).secretValue;
+export const getSiteURL = async () => (await client.getSecret("SITE_URL")).secretValue;
+export const getSmtpHost = async () => (await client.getSecret("SMTP_HOST")).secretValue;
+export const getSmtpSecure = async () => (await client.getSecret("SMTP_SECURE")).secretValue === "true" || false;
+export const getSmtpPort = async () => parseInt((await client.getSecret("SMTP_PORT")).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret("SMTP_USERNAME")).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret("SMTP_PASSWORD")).secretValue;
+export const getSmtpFromAddress = async () => (await client.getSecret("SMTP_FROM_ADDRESS")).secretValue;
+export const getSmtpFromName = async () => (await client.getSecret("SMTP_FROM_NAME")).secretValue || "Infisical";
 
 export const getLicenseKey = async () => {
-  const secretValue = (await client.getSecret('LICENSE_KEY')).secretValue;
-  return secretValue === '' ? undefined : secretValue;
+  const secretValue = (await client.getSecret("LICENSE_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
 }
 export const getLicenseServerKey = async () => {
-  const secretValue = (await client.getSecret('LICENSE_SERVER_KEY')).secretValue;
-  return secretValue === '' ? undefined : secretValue;
+  const secretValue = (await client.getSecret("LICENSE_SERVER_KEY")).secretValue;
+  return secretValue === "" ? undefined : secretValue;
 }
-export const getLicenseServerUrl = async () => (await client.getSecret('LICENSE_SERVER_URL')).secretValue || 'https://portal.infisical.com';
+export const getLicenseServerUrl = async () => (await client.getSecret("LICENSE_SERVER_URL")).secretValue || "https://portal.infisical.com";
 
-// TODO: deprecate from here
-export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
-export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
-export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
-export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
-export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
-export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
-
-export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
-export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
-export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true
+export const getTelemetryEnabled = async () => (await client.getSecret("TELEMETRY_ENABLED")).secretValue !== "false" && true;
+export const getLoopsApiKey = async () => (await client.getSecret("LOOPS_API_KEY")).secretValue;
+export const getSmtpConfigured = async () => (await client.getSecret("SMTP_HOST")).secretValue == "" || (await client.getSecret("SMTP_HOST")).secretValue == undefined ? false : true
 export const getHttpsEnabled = async () => {
   if ((await getNodeEnv()) != "production") {
     // no https for anything other than prod
     return false
   }
 
-  if ((await client.getSecret('HTTPS_ENABLED')).secretValue == undefined || (await client.getSecret('HTTPS_ENABLED')).secretValue == "") {
+  if ((await client.getSecret("HTTPS_ENABLED")).secretValue == undefined || (await client.getSecret("HTTPS_ENABLED")).secretValue == "") {
     // default when no value present
     return true
   }
 
-  return (await client.getSecret('HTTPS_ENABLED')).secretValue === 'true' && true
-}
+  return (await client.getSecret("HTTPS_ENABLED")).secretValue === "true" && true
+}

backend/src/config/request.ts

@@ -1,16 +1,16 @@
-import axios from 'axios';
-import axiosRetry from 'axios-retry';
+import axios from "axios";
+import axiosRetry from "axios-retry";
 import {
-  getLicenseServerKeyAuthToken,
-  setLicenseServerKeyAuthToken,
   getLicenseKeyAuthToken,
-  setLicenseKeyAuthToken
-} from './storage';
+  getLicenseServerKeyAuthToken,
+  setLicenseKeyAuthToken,
+  setLicenseServerKeyAuthToken,
+} from "./storage";
 import {
   getLicenseKey,
   getLicenseServerKey, 
-  getLicenseServerUrl
-} from './index';
+  getLicenseServerUrl,
+} from "./index";
 
 // should have JWT to interact with the license server
 export const licenseServerKeyRequest = axios.create();
@@ -35,8 +35,8 @@ export const refreshLicenseServerKeyToken = async () => {
     `${licenseServerUrl}/api/auth/v1/license-server-login`, {},
     {
       headers: {
-        'X-API-KEY': licenseServerKey
-      }
+        "X-API-KEY": licenseServerKey,
+      },
     }
   );
 
@@ -53,8 +53,8 @@ export const refreshLicenseKeyToken = async () => {
     `${licenseServerUrl}/api/auth/v1/license-login`, {},
     {
       headers: {
-        'X-API-KEY': licenseKey
-      }
+        "X-API-KEY": licenseKey,
+      },
     }
   );
 
@@ -86,7 +86,7 @@ licenseServerKeyRequest.interceptors.response.use((response) => {
     // refresh
     const token = await refreshLicenseServerKeyToken();            
     
-    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    axios.defaults.headers.common["Authorization"] = "Bearer " + token;
     return licenseServerKeyRequest(originalRequest);
   }
 
@@ -116,7 +116,7 @@ licenseKeyRequest.interceptors.response.use((response) => {
     // refresh
     const token = await refreshLicenseKeyToken();            
     
-    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    axios.defaults.headers.common["Authorization"] = "Bearer " + token;
     return licenseKeyRequest(originalRequest);
   }
 

backend/src/config/storage.ts

@@ -5,7 +5,7 @@ const MemoryLicenseServerKeyTokenStorage = () => {
       setToken: (token: string) => {
         authToken = token;
       },
-      getToken: () => authToken
+      getToken: () => authToken,
     };
 };
 
@@ -16,7 +16,7 @@ const MemoryLicenseKeyTokenStorage = () => {
       setToken: (token: string) => {
         authToken = token;
       },
-      getToken: () => authToken
+      getToken: () => authToken,
     };
 };
 

backend/src/controllers/v1/authController.ts

@@ -1,29 +1,39 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as bigintConversion from 'bigint-conversion';
+import { Request, Response } from "express";
+import fs from "fs";
+import path from "path";
+import jwt from "jsonwebtoken";
+import * as bigintConversion from "bigint-conversion";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
+const jsrp = require("jsrp");
+import { 
+  LoginSRPDetail, 
+  TokenVersion,
+  User,
+} from "../../models";
+import { clearTokens, createToken, issueAuthTokens } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
 import {
   ACTION_LOGIN,
-  ACTION_LOGOUT
-} from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { EELogService } from '../../ee/services';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+  ACTION_LOGOUT,
+  AUTH_MODE_JWT,
+} from "../../variables";
+import { 
+  BadRequestError,
+  UnauthorizedRequestError,
+} from "../../utils/errors";
+import { EELogService } from "../../ee/services";
+import { getChannelFromUserAgent } from "../../utils/posthog";
 import {
-  getJwtRefreshSecret,
+  getHttpsEnabled,
   getJwtAuthLifetime,
   getJwtAuthSecret,
-  getHttpsEnabled
-} from '../../config';
+  getJwtRefreshSecret,
+} from "../../config";
 
-declare module 'jsonwebtoken' {
+declare module "jsonwebtoken" {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
     userId: string;
+    refreshVersion?: number;
   }
 }
 
@@ -34,47 +44,39 @@ declare module 'jsonwebtoken' {
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-  try {
-    const {
-      email,
-      clientPublicKey
-    }: { email: string; clientPublicKey: string } = req.body;
+  const {
+    email,
+    clientPublicKey,
+  }: { email: string; clientPublicKey: string } = req.body;
 
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
+  const user = await User.findOne({
+    email,
+  }).select("+salt +verifier");
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
-    const server = new jsrp.server();
-    server.init(
-      {
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+    },
+    async () => {
+      // generate server-side public key
+      const serverPublicKey = server.getPublicKey();
+
+      await LoginSRPDetail.findOneAndReplace({ email: email }, {
+        email: email,
+        clientPublicKey: clientPublicKey,
+        serverBInt: bigintConversion.bigintToBuf(server.bInt),
+      }, { upsert: true, returnNewDocument: false })
+
+      return res.status(200).send({
+        serverPublicKey,
         salt: user.salt,
-        verifier: user.verifier
-      },
-      async () => {
-        // generate server-side public key
-        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false })
-
-        return res.status(200).send({
-          serverPublicKey,
-          salt: user.salt
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
+      });
+    }
+  );
 };
 
 /**
@@ -85,84 +87,80 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-  try {
-    const { email, clientProof } = req.body;
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
+  const { email, clientProof } = req.body;
+  const user = await User.findOne({
+    email,
+  }).select("+salt +verifier +publicKey +encryptedPrivateKey +iv +tag");
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
-    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
 
-    if (!loginSRPDetailFromDB) {
-      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-    }
+  if (!loginSRPDetailFromDB) {
+    return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+  }
 
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier,
-        b: loginSRPDetailFromDB.serverBInt
-      },
-      async () => {
-        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+      b: loginSRPDetailFromDB.serverBInt,
+    },
+    async () => {
+      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
-        // compare server and client shared keys
-        if (server.checkClientProof(clientProof)) {
-          // issue tokens
+      // compare server and client shared keys
+      if (server.checkClientProof(clientProof)) {
+        // issue tokens
 
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
-          });
+        await checkUserDevice({
+          user,
+          ip: req.realIP,
+          userAgent: req.headers["user-agent"] ?? "",
+        });
 
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+        const tokens = await issueAuthTokens({ 
+          userId: user._id,
+          ip: req.realIP,
+          userAgent: req.headers["user-agent"] ?? "",
+        });
 
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: await getHttpsEnabled()
-          });
+        // store (refresh) token in httpOnly cookie
+        res.cookie("jid", tokens.refreshToken, {
+          httpOnly: true,
+          path: "/",
+          sameSite: "strict",
+          secure: await getHttpsEnabled(),
+        });
 
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
+        const loginAction = await EELogService.createAction({
+          name: ACTION_LOGIN,
+          userId: user._id,
+        });
 
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
-          });
+        loginAction && await EELogService.createLog({
+          userId: user._id,
+          actions: [loginAction],
+          channel: getChannelFromUserAgent(req.headers["user-agent"]),
+          ipAddress: req.realIP,
+        });
 
-          // return (access) token in response
-          return res.status(200).send({
-            token: tokens.token,
-            publicKey: user.publicKey,
-            encryptedPrivateKey: user.encryptedPrivateKey,
-            iv: user.iv,
-            tag: user.tag
-          });
-        }
-
-        return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
+        // return (access) token in response
+        return res.status(200).send({
+          token: tokens.token,
+          publicKey: user.publicKey,
+          encryptedPrivateKey: user.encryptedPrivateKey,
+          iv: user.iv,
+          tag: user.tag,
         });
       }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
+
+      return res.status(400).send({
+        message: "Failed to authenticate. Try again?",
+      });
+    }
+  );
 };
 
 /**
@@ -172,44 +170,59 @@ export const login2 = async (req: Request, res: Response) => {
  * @returns
  */
 export const logout = async (req: Request, res: Response) => {
-  try {
-    await clearTokens({
-      userId: req.user._id.toString()
-    });
-
-    // clear httpOnly cookie
-    res.cookie('jid', '', {
-      httpOnly: true,
-      path: '/',
-      sameSite: 'strict',
-      secure: (await getHttpsEnabled()) as boolean
-    });
-
-    const logoutAction = await EELogService.createAction({
-      name: ACTION_LOGOUT,
-      userId: req.user._id
-    });
-
-    logoutAction && await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to logout'
-    });
+  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User && req.authData.tokenVersionId) {
+    await clearTokens(req.authData.tokenVersionId)
   }
 
+  // clear httpOnly cookie
+  res.cookie("jid", "", {
+    httpOnly: true,
+    path: "/",
+    sameSite: "strict",
+    secure: (await getHttpsEnabled()) as boolean,
+  });
+
+  const logoutAction = await EELogService.createAction({
+    name: ACTION_LOGOUT,
+    userId: req.user._id,
+  });
+
+  logoutAction && await EELogService.createLog({
+    userId: req.user._id,
+    actions: [logoutAction],
+    channel: getChannelFromUserAgent(req.headers["user-agent"]),
+    ipAddress: req.realIP,
+  });
+
   return res.status(200).send({
-    message: 'Successfully logged out.'
+    message: "Successfully logged out.",
   });
 };
 
+export const getCommonPasswords = async (req: Request, res: Response) => {
+  const commonPasswords = fs.readFileSync(
+		path.resolve(__dirname, "../../data/" + "common_passwords.txt"),
+		"utf8"
+	).split("\n");	
+
+  return res.status(200).send(commonPasswords);
+}
+
+export const revokeAllSessions = async (req: Request, res: Response) => {
+  await TokenVersion.updateMany({
+    user: req.user._id,
+  }, {
+    $inc: {
+      refreshVersion: 1,
+      accessVersion: 1,
+    },
+  });
+
+  return res.status(200).send({
+    message: "Successfully revoked all sessions.",
+  }); 
+}
+
 /**
  * Return user is authenticated
  * @param req
@@ -218,54 +231,58 @@ export const logout = async (req: Request, res: Response) => {
  */
 export const checkAuth = async (req: Request, res: Response) => {
   return res.status(200).send({
-    message: 'Authenticated'
+    message: "Authenticated",
   });
 }
 
 /**
- * Return new token by redeeming refresh token
+ * Return new JWT access token by first validating the refresh token
  * @param req
  * @param res
  * @returns
  */
 export const getNewToken = async (req: Request, res: Response) => {
-  try {
-    const refreshToken = req.cookies.jid;
+  const refreshToken = req.cookies.jid;
 
-    if (!refreshToken) {
-      throw new Error('Failed to find token in request cookies');
-    }
+  if (!refreshToken) throw BadRequestError({
+    message: "Failed to find refresh token in request cookies"
+  });
 
-    const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, await getJwtRefreshSecret())
-    );
+  const decodedToken = <jwt.UserIDJwtPayload>(
+    jwt.verify(refreshToken, await getJwtRefreshSecret())
+  );
 
-    const user = await User.findOne({
-      _id: decodedToken.userId
-    }).select('+publicKey');
+  const user = await User.findOne({
+    _id: decodedToken.userId,
+  }).select("+publicKey +refreshVersion +accessVersion");
 
-    if (!user) throw new Error('Failed to authenticate unfound user');
-    if (!user?.publicKey)
-      throw new Error('Failed to authenticate not fully set up account');
+  if (!user) throw new Error("Failed to authenticate unfound user");
+  if (!user?.publicKey)
+    throw new Error("Failed to authenticate not fully set up account");
+  
+  const tokenVersion = await TokenVersion.findById(decodedToken.tokenVersionId);
 
-    const token = createToken({
-      payload: {
-        userId: decodedToken.userId
-      },
-      expiresIn: await getJwtAuthLifetime(),
-      secret: await getJwtAuthSecret()
-    });
+  if (!tokenVersion) throw UnauthorizedRequestError({
+    message: "Failed to validate refresh token",
+  });
 
-    return res.status(200).send({
-      token
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Invalid request'
-    });
-  }
+  if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) throw BadRequestError({
+    message: "Failed to validate refresh token",
+  });
+
+  const token = createToken({
+    payload: {
+      userId: decodedToken.userId,
+      tokenVersionId: tokenVersion._id.toString(),
+      accessVersion: tokenVersion.refreshVersion,
+    },
+    expiresIn: await getJwtAuthLifetime(),
+    secret: await getJwtAuthSecret(),
+  });
+
+  return res.status(200).send({
+    token,
+  });
 };
 
 export const handleAuthProviderCallback = (req: Request, res: Response) => {

backend/src/controllers/v1/botController.ts

@@ -1,8 +1,7 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import { Bot, BotKey } from '../../models';
-import { createBot } from '../../helpers/bot';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Bot, BotKey } from "../../models";
+import { createBot } from "../../helpers/bot";
 
 interface BotKey {
     encryptedKey: string;
@@ -17,33 +16,24 @@ interface BotKey {
  * @returns
  */
 export const getBotByWorkspaceId = async (req: Request, res: Response) => {
-    let bot;
-	try {
-        const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-        bot = await Bot.findOne({
-            workspace: workspaceId
-        });
-        
-        if (!bot) {
-            // case: bot doesn't exist for workspace with id [workspaceId]
-            // -> create a new bot and return it
-            bot = await createBot({
-                name: 'Infisical Bot',
-                workspaceId: new Types.ObjectId(workspaceId)
-            });
-        }
-	} catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-        return res.status(400).send({
-			message: 'Failed to get bot for workspace'
-		});
-	}
+  let bot = await Bot.findOne({
+      workspace: workspaceId,
+  });
+  
+  if (!bot) {
+      // case: bot doesn't exist for workspace with id [workspaceId]
+      // -> create a new bot and return it
+      bot = await createBot({
+          name: "Infisical Bot",
+          workspaceId: new Types.ObjectId(workspaceId),
+      });
+  }
     
-    return res.status(200).send({
-        bot
-    });
+  return res.status(200).send({
+      bot,
+  });
 };
 
 /**
@@ -53,56 +43,46 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
  * @returns
  */
 export const setBotActiveState = async (req: Request, res: Response) => {
-    let bot;
-	try {
-        const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
-        
-        if (isActive) {
-            // bot state set to active -> share workspace key with bot
-            if (!botKey?.encryptedKey || !botKey?.nonce) {
-                return res.status(400).send({
-                    message: 'Failed to set bot state to active - missing bot key'
-                });
-            }
-            
-            await BotKey.findOneAndUpdate({
-                workspace: req.bot.workspace
-            }, {
-                encryptedKey: botKey.encryptedKey,
-                nonce: botKey.nonce,
-                sender: req.user._id,
-                bot: req.bot._id,
-                workspace: req.bot.workspace
-            }, {
-                upsert: true,
-                new: true
-            });
-        } else {
-            // case: bot state set to inactive -> delete bot's workspace key
-            await BotKey.deleteOne({
-                bot: req.bot._id
+    const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
+    
+    if (isActive) {
+        // bot state set to active -> share workspace key with bot
+        if (!botKey?.encryptedKey || !botKey?.nonce) {
+            return res.status(400).send({
+                message: "Failed to set bot state to active - missing bot key",
             });
         }
-
-        bot = await Bot.findOneAndUpdate({
-            _id: req.bot._id
+        
+        await BotKey.findOneAndUpdate({
+            workspace: req.bot.workspace,
         }, {
-            isActive
+            encryptedKey: botKey.encryptedKey,
+            nonce: botKey.nonce,
+            sender: req.user._id,
+            bot: req.bot._id,
+            workspace: req.bot.workspace,
         }, {
-            new: true
+            upsert: true,
+            new: true,
         });
-        
-        if (!bot) throw new Error('Failed to update bot active state');
-        
-	} catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-        return res.status(400).send({
-			message: 'Failed to update bot active state'
-		});
-	}
+    } else {
+        // case: bot state set to inactive -> delete bot's workspace key
+        await BotKey.deleteOne({
+            bot: req.bot._id,
+        });
+    }
+
+    const bot = await Bot.findOneAndUpdate({
+        _id: req.bot._id,
+    }, {
+        isActive,
+    }, {
+        new: true,
+    });
+    
+    if (!bot) throw new Error("Failed to update bot active state");
     
     return res.status(200).send({
-        bot
+        bot,
     });
 };

backend/src/controllers/v1/index.ts

@@ -1,19 +1,18 @@
-import * as authController from './authController';
-import * as botController from './botController';
-import * as integrationAuthController from './integrationAuthController';
-import * as integrationController from './integrationController';
-import * as keyController from './keyController';
-import * as membershipController from './membershipController';
-import * as membershipOrgController from './membershipOrgController';
-import * as organizationController from './organizationController';
-import * as passwordController from './passwordController';
-import * as secretController from './secretController';
-import * as serviceTokenController from './serviceTokenController';
-import * as signupController from './signupController';
-import * as stripeController from './stripeController';
-import * as userActionController from './userActionController';
-import * as userController from './userController';
-import * as workspaceController from './workspaceController';
+import * as authController from "./authController";
+import * as botController from "./botController";
+import * as integrationAuthController from "./integrationAuthController";
+import * as integrationController from "./integrationController";
+import * as keyController from "./keyController";
+import * as membershipController from "./membershipController";
+import * as membershipOrgController from "./membershipOrgController";
+import * as organizationController from "./organizationController";
+import * as passwordController from "./passwordController";
+import * as secretController from "./secretController";
+import * as serviceTokenController from "./serviceTokenController";
+import * as signupController from "./signupController";
+import * as userActionController from "./userActionController";
+import * as userController from "./userController";
+import * as workspaceController from "./workspaceController";
 
 export {
 	authController,
@@ -28,8 +27,7 @@ export {
 	secretController,
 	serviceTokenController,
 	signupController,
-	stripeController,
 	userActionController,
 	userController,
-	workspaceController
+	workspaceController,
 };

backend/src/controllers/v1/integrationAuthController.ts

@@ -1,54 +1,41 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { standardRequest } from "../../config/request";
+import { getApps, getTeams, revokeAccess } from "../../integrations";
+import { Bot, IntegrationAuth } from "../../models";
+import { IntegrationService } from "../../services";
 import {
-	IntegrationAuth,
-	Bot 
-} from '../../models';
-import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
-import { IntegrationService } from '../../services';
-import {
-	getApps, 
-	getTeams,
-	revokeAccess 
-} from '../../integrations';
-import {
-	INTEGRATION_VERCEL_API_URL,
-	INTEGRATION_RAILWAY_API_URL
-} from '../../variables';
-import { standardRequest } from '../../config/request';
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  INTEGRATION_RAILWAY_API_URL,
+  INTEGRATION_SET,
+  INTEGRATION_VERCEL_API_URL,
+  getIntegrationOptions as getIntegrationOptionsFunc
+} from "../../variables";
 
 /***
  * Return integration authorization with id [integrationAuthId]
  */
 export const getIntegrationAuth = async (req: Request, res: Response) => {
-	let integrationAuth;
-	try {
-		const { integrationAuthId } = req.params;
-		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-		
-		if (!integrationAuth) return res.status(400).send({
-			message: 'Failed to find integration authorization'
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get integration authorization'
-		});	
-	}
-	
-	return res.status(200).send({
-		integrationAuth
-	});
-}
+  const { integrationAuthId } = req.params;
+  const integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+
+  if (!integrationAuth)
+    return res.status(400).send({
+      message: "Failed to find integration authorization"
+    });
+
+  return res.status(200).send({
+    integrationAuth
+  });
+};
 
 export const getIntegrationOptions = async (req: Request, res: Response) => {
-	const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
+  const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();
 
-	return res.status(200).send({
-		integrationOptions: INTEGRATION_OPTIONS,
-	});
+  return res.status(200).send({
+    integrationOptions: INTEGRATION_OPTIONS
+  });
 };
 
 /**
@@ -57,107 +44,94 @@ export const getIntegrationOptions = async (req: Request, res: Response) => {
  * @param res
  * @returns
  */
-export const oAuthExchange = async (
-	req: Request,
-	res: Response
-) => {
-	try {
-		const { workspaceId, code, integration } = req.body;
-		if (!INTEGRATION_SET.has(integration))
-			throw new Error('Failed to validate integration');
-		
-		const environments = req.membership.workspace?.environments || [];
-		if(environments.length === 0){
-			throw new Error("Failed to get environments")
-		}
-	
-		const integrationAuth = await IntegrationService.handleOAuthExchange({
-			workspaceId,
-			integration,
-			code,
-			environment: environments[0].slug,
-		});
-		
-		return res.status(200).send({
-			integrationAuth
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get OAuth2 code-token exchange'
-		});
-	}
+export const oAuthExchange = async (req: Request, res: Response) => {
+  const { workspaceId, code, integration } = req.body;
+  if (!INTEGRATION_SET.has(integration)) throw new Error("Failed to validate integration");
+
+  const environments = req.membership.workspace?.environments || [];
+  if (environments.length === 0) {
+    throw new Error("Failed to get environments");
+  }
+
+  const integrationAuth = await IntegrationService.handleOAuthExchange({
+    workspaceId,
+    integration,
+    code,
+    environment: environments[0].slug
+  });
+
+  return res.status(200).send({
+    integrationAuth
+  });
 };
 
 /**
  * Save integration access token and (optionally) access id as part of integration
  * [integration] for workspace with id [workspaceId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
-export const saveIntegrationAccessToken = async (
-  req: Request,
-  res: Response
-) => {
-	// TODO: refactor
-	// TODO: check if access token is valid for each integration
+export const saveIntegrationAccessToken = async (req: Request, res: Response) => {
+  // TODO: refactor
+  // TODO: check if access token is valid for each integration
 
-	let integrationAuth;
-	try {
-		const {
-			workspaceId,
-			accessId,
-			accessToken,
-			integration
-		}: {
-			workspaceId: string;
-			accessId: string | null;
-			accessToken: string;
-			integration: string;
-		} = req.body;
+  let integrationAuth;
+  const {
+    workspaceId,
+    accessId,
+    accessToken,
+    url,
+    namespace,
+    integration
+  }: {
+    workspaceId: string;
+    accessId: string | null;
+    accessToken: string;
+    url: string;
+    namespace: string;
+    integration: string;
+  } = req.body;
 
-		const bot = await Bot.findOne({
-            workspace: new Types.ObjectId(workspaceId),
-            isActive: true
-        });
-        
-        if (!bot) throw new Error('Bot must be enabled to save integration access token');
+  const bot = await Bot.findOne({
+    workspace: new Types.ObjectId(workspaceId),
+    isActive: true
+  });
 
-		integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            workspace: new Types.ObjectId(workspaceId),
-            integration
-        }, {
-            workspace: new Types.ObjectId(workspaceId),
-            integration,
-			algorithm: ALGORITHM_AES_256_GCM,
-			keyEncoding: ENCODING_SCHEME_UTF8
-		}, {
-            new: true,
-            upsert: true
-        });
-		
-		// encrypt and save integration access details
-		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
-			integrationAuthId: integrationAuth._id.toString(),
-			accessId,
-			accessToken,
-			accessExpiresAt: undefined
-		});
-		
-		if (!integrationAuth) throw new Error('Failed to save integration access token');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to save access token for integration'
-		});
-	}
-	
-	return res.status(200).send({
-		integrationAuth
-	});
-}
+  if (!bot) throw new Error("Bot must be enabled to save integration access token");
+
+  integrationAuth = await IntegrationAuth.findOneAndUpdate(
+    {
+      workspace: new Types.ObjectId(workspaceId),
+      integration
+    },
+    {
+      workspace: new Types.ObjectId(workspaceId),
+      integration,
+      url,
+      namespace,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
+    },
+    {
+      new: true,
+      upsert: true
+    }
+  );
+
+  // encrypt and save integration access details
+  integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+    integrationAuthId: integrationAuth._id.toString(),
+    accessId,
+    accessToken,
+    accessExpiresAt: undefined
+  });
+
+  if (!integrationAuth) throw new Error("Failed to save integration access token");
+
+  return res.status(200).send({
+    integrationAuth
+  });
+};
 
 /**
  * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
@@ -166,117 +140,109 @@ export const saveIntegrationAccessToken = async (
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-	let apps;
-	try {
-		const teamId = req.query.teamId as string;
-		
-		apps = await getApps({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken,
-			...teamId && { teamId }
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get integration authorization applications",
-		});
-	}
+  const teamId = req.query.teamId as string;
 
-	return res.status(200).send({
-		apps
-	});
+  const apps = await getApps({
+    integrationAuth: req.integrationAuth,
+    accessToken: req.accessToken,
+    accessId: req.accessId,
+    ...(teamId && { teamId })
+  });
+
+  return res.status(200).send({
+    apps
+  });
 };
 
 /**
  * Return list of teams allowed for integration with integration authorization id [integrationAuthId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getIntegrationAuthTeams = async (req: Request, res: Response) => {
-	const teams = await getTeams({
-		integrationAuth: req.integrationAuth,
-		accessToken: req.accessToken
-	});
-	
-	return res.status(200).send({
-		teams
-	});
-}
+  const teams = await getTeams({
+    integrationAuth: req.integrationAuth,
+    accessToken: req.accessToken
+  });
+
+  return res.status(200).send({
+    teams
+  });
+};
 
 /**
  * Return list of available Vercel (preview) branches for Vercel project with
  * id [appId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
 export const getIntegrationAuthVercelBranches = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface VercelBranch {
-		ref: string;
-		lastCommit: string;
-		isProtected: boolean;
-	}
+  const appId = req.query.appId as string;
 
-	const params = new URLSearchParams({
-		projectId: appId,
-		...(req.integrationAuth.teamId ? {
-			teamId: req.integrationAuth.teamId
-		} : {})
-	});
+  interface VercelBranch {
+    ref: string;
+    lastCommit: string;
+    isProtected: boolean;
+  }
 
-	let branches: string[] = [];
-	
-	if (appId && appId !== '') {
-		const { data }: { data: VercelBranch[] } = await standardRequest.get(
-			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
-			{
-				params,
-				headers: {
-					Authorization: `Bearer ${req.accessToken}`,
-					'Accept-Encoding': 'application/json'
-				}
-			}
-		);
-		
-		branches = data.map((b) => b.ref);
-	}
+  const params = new URLSearchParams({
+    projectId: appId,
+    ...(req.integrationAuth.teamId
+      ? {
+          teamId: req.integrationAuth.teamId
+        }
+      : {})
+  });
 
-	return res.status(200).send({
-		branches
-	});
-}
+  let branches: string[] = [];
+
+  if (appId && appId !== "") {
+    const { data }: { data: VercelBranch[] } = await standardRequest.get(
+      `${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
+      {
+        params,
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
+      }
+    );
+
+    branches = data.map((b) => b.ref);
+  }
+
+  return res.status(200).send({
+    branches
+  });
+};
 
 /**
  * Return list of Railway environments for Railway project with
  * id [appId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
 export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface RailwayEnvironment {
-		node: {
-			id: string;
-			name: string;
-			isEphemeral: boolean;
-		}
-	}
-	
-	interface Environment {
-		environmentId: string;
-		name: string;
-	}
-	
-	let environments: Environment[] = [];
+  const appId = req.query.appId as string;
 
-	if (appId && appId !== '') {
-		const query = `
+  interface RailwayEnvironment {
+    node: {
+      id: string;
+      name: string;
+      isEphemeral: boolean;
+    };
+  }
+
+  interface Environment {
+    environmentId: string;
+    name: string;
+  }
+
+  let environments: Environment[] = [];
+
+  if (appId && appId !== "") {
+    const query = `
 			query GetEnvironments($projectId: String!, $after: String, $before: String, $first: Int, $isEphemeral: Boolean, $last: Int) {
 				environments(projectId: $projectId, after: $after, before: $before, first: $first, isEphemeral: $isEphemeral, last: $last) {
 				edges {
@@ -289,59 +255,68 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
 				}
 			}
 			`;
-		
-		const variables = {
-			projectId: appId
-		}
-		
-		const { data: { data: { environments: { edges } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
-			query,
-			variables,
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
-			},
-		});
-		
-		environments = edges.map((e: RailwayEnvironment) => {
-			return ({
-				name: e.node.name,
-				environmentId: e.node.id
-			});
-		});
-	}
-	
-	return res.status(200).send({
-		environments
-	});
-}
+
+    const variables = {
+      projectId: appId
+    };
+
+    const {
+      data: {
+        data: {
+          environments: { edges }
+        }
+      }
+    } = await standardRequest.post(
+      INTEGRATION_RAILWAY_API_URL,
+      {
+        query,
+        variables
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
+
+    environments = edges.map((e: RailwayEnvironment) => {
+      return {
+        name: e.node.name,
+        environmentId: e.node.id
+      };
+    });
+  }
+
+  return res.status(200).send({
+    environments
+  });
+};
 
 /**
  * Return list of Railway services for Railway project with id
  * [appId]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
 export const getIntegrationAuthRailwayServices = async (req: Request, res: Response) => {
-	const { integrationAuthId } = req.params;
-	const appId = req.query.appId as string;
-	
-	interface RailwayService {
-		node: {
-			id: string;
-			name: string;
-		}
-	}
-	
-	interface Service {
-		name: string;
-		serviceId: string;
-	}
-	
-	let services: Service[] = [];
-	
-	const query = `
+  const appId = req.query.appId as string;
+
+  interface RailwayService {
+    node: {
+      id: string;
+      name: string;
+    };
+  }
+
+  interface Service {
+    name: string;
+    serviceId: string;
+  }
+
+  let services: Service[] = [];
+
+  const query = `
       query project($id: String!) {
         project(id: $id) {
           createdAt
@@ -369,31 +344,43 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
       }
     `;
 
-	if (appId && appId !== '') {
-		const variables = {
-			id: appId
-		}
-		
-		const { data: { data: { project: { services: { edges } } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
-			query,
-			variables
-		}, {
-			headers: {
-				'Authorization': `Bearer ${req.accessToken}`,
-				'Content-Type': 'application/json',
-			},
-		});
-		
-		services = edges.map((e: RailwayService) => ({
-			name: e.node.name,
-			serviceId: e.node.id
-		}));
-	}
-	
-	return res.status(200).send({
-		services
-	});
-}
+  if (appId && appId !== "") {
+    const variables = {
+      id: appId
+    };
+
+    const {
+      data: {
+        data: {
+          project: {
+            services: { edges }
+          }
+        }
+      }
+    } = await standardRequest.post(
+      INTEGRATION_RAILWAY_API_URL,
+      {
+        query,
+        variables
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${req.accessToken}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
+
+    services = edges.map((e: RailwayService) => ({
+      name: e.node.name,
+      serviceId: e.node.id
+    }));
+  }
+
+  return res.status(200).send({
+    services
+  });
+};
 
 /**
  * Delete integration authorization with id [integrationAuthId]
@@ -402,21 +389,12 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
  * @returns
  */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-  let integrationAuth;
-  try {
-    integrationAuth = await revokeAccess({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration authorization",
-    });
-  }
+  const integrationAuth = await revokeAccess({
+    integrationAuth: req.integrationAuth,
+    accessToken: req.accessToken
+  });
 
   return res.status(200).send({
-    integrationAuth,
+    integrationAuth
   });
 };

backend/src/controllers/v1/integrationController.ts

@@ -1,11 +1,11 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import { 
-	Integration
-} from '../../models';
-import { EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Integration } from "../../models";
+import { EventService } from "../../services";
+import { eventPushSecrets } from "../../events";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
+import { BadRequestError } from "../../utils/errors";
 
 /**
  * Create/initialize an (empty) integration for integration authorization
@@ -14,61 +14,66 @@ import { eventPushSecrets } from '../../events';
  * @returns
  */
 export const createIntegration = async (req: Request, res: Response) => {
-	let integration;
+  const {
+    integrationAuthId,
+    app,
+    appId,
+    isActive,
+    sourceEnvironment,
+    targetEnvironment,
+    targetEnvironmentId,
+    targetService,
+    targetServiceId,
+    owner,
+    path,
+    region,
+    secretPath,
+  } = req.body;
 
-	try {
-		const {
-			integrationAuthId,
-			app,
-			appId,
-			isActive,
-			sourceEnvironment,
-			targetEnvironment,
-			targetEnvironmentId,
-      targetService,
-      targetServiceId,
-			owner,
-			path,
-			region
-		} = req.body;
-		
-		// TODO: validate [sourceEnvironment] and [targetEnvironment]
+  const folders = await Folder.findOne({
+    workspace: req.integrationAuth.workspace._id,
+    environment: sourceEnvironment,
+  });
 
-		// initialize new integration after saving integration access token
-    integration = await new Integration({
-      workspace: req.integrationAuth.workspace._id,
-      environment: sourceEnvironment,
-      isActive,
-      app,
-			appId,
-			targetEnvironment,
-			targetEnvironmentId,
-      targetService,
-      targetServiceId,
-			owner,
-			path,
-			region,
-      integration: req.integrationAuth.integration,
-      integrationAuth: new Types.ObjectId(integrationAuthId)
-    }).save();
-		
-		if (integration) {
-			// trigger event - push secrets
-			EventService.handleEvent({
-				event: eventPushSecrets({
-					workspaceId: integration.workspace,
-          environment: sourceEnvironment
-				})
-			});
-		}
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw BadRequestError({
+        message: "Path for service token does not exist",
+      });
+    }
+  }
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create integration'
-		});
-	}
+  // TODO: validate [sourceEnvironment] and [targetEnvironment]
+
+  // initialize new integration after saving integration access token
+  const integration = await new Integration({
+    workspace: req.integrationAuth.workspace._id,
+    environment: sourceEnvironment,
+    isActive,
+    app,
+    appId,
+    targetEnvironment,
+    targetEnvironmentId,
+    targetService,
+    targetServiceId,
+    owner,
+    path,
+    region,
+    secretPath,
+    integration: req.integrationAuth.integration,
+    integrationAuth: new Types.ObjectId(integrationAuthId),
+  }).save();
+
+  if (integration) {
+    // trigger event - push secrets
+    EventService.handleEvent({
+      event: eventPushSecrets({
+        workspaceId: integration.workspace,
+        environment: sourceEnvironment,
+      }),
+    });
+  }
 
   return res.status(200).send({
     integration,
@@ -82,52 +87,58 @@ export const createIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const updateIntegration = async (req: Request, res: Response) => {
-  let integration;
-
   // TODO: add integration-specific validation to ensure that each
   // integration has the correct fields populated in [Integration]
 
-  try {
-    const {
+  const {
+    environment,
+    isActive,
+    app,
+    appId,
+    targetEnvironment,
+    owner, // github-specific integration param
+    secretPath,
+  } = req.body;
+
+  const folders = await Folder.findOne({
+    workspace: req.integration.workspace,
+    environment,
+  });
+
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw BadRequestError({
+        message: "Path for service token does not exist",
+      });
+    }
+  }
+
+  const integration = await Integration.findOneAndUpdate(
+    {
+      _id: req.integration._id,
+    },
+    {
       environment,
       isActive,
       app,
       appId,
       targetEnvironment,
-      owner, // github-specific integration param
-    } = req.body;
-
-    integration = await Integration.findOneAndUpdate(
-      {
-        _id: req.integration._id,
-      },
-      {
-        environment,
-        isActive,
-        app,
-        appId,
-        targetEnvironment,
-        owner,
-      },
-      {
-        new: true,
-      }
-    );
-
-    if (integration) {
-      // trigger event - push secrets
-      EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: integration.workspace,
-          environment
-        }),
-      });
+      owner,
+      secretPath,
+    },
+    {
+      new: true,
     }
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to update integration",
+  );
+
+  if (integration) {
+    // trigger event - push secrets
+    EventService.handleEvent({
+      event: eventPushSecrets({
+        workspaceId: integration.workspace,
+        environment,
+      }),
     });
   }
 
@@ -144,22 +155,13 @@ export const updateIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegration = async (req: Request, res: Response) => {
-  let integration;
-  try {
-    const { integrationId } = req.params;
+  const { integrationId } = req.params;
 
-    integration = await Integration.findOneAndDelete({
-      _id: integrationId,
-    });
+  const integration = await Integration.findOneAndDelete({
+    _id: integrationId,
+  });
 
-    if (!integration) throw new Error("Failed to find integration");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration",
-    });
-  }
+  if (!integration) throw new Error("Failed to find integration");
 
   return res.status(200).send({
     integration,

backend/src/controllers/v1/keyController.ts

@@ -1,7 +1,6 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Key } from '../../models';
-import { findMembership } from '../../helpers/membership';
+import { Request, Response } from "express";
+import { Key } from "../../models";
+import { findMembership } from "../../helpers/membership";
 
 /**
  * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@@ -11,37 +10,29 @@ import { findMembership } from '../../helpers/membership';
  * @returns
  */
 export const uploadKey = async (req: Request, res: Response) => {
-	try {
-		const { workspaceId } = req.params;
-		const { key } = req.body;
+  const { workspaceId } = req.params;
+  const { key } = req.body;
 
-		// validate membership of receiver
-		const receiverMembership = await findMembership({
-			user: key.userId,
-			workspace: workspaceId
-		});
+  // validate membership of receiver
+  const receiverMembership = await findMembership({
+    user: key.userId,
+    workspace: workspaceId,
+  });
 
-		if (!receiverMembership) {
-			throw new Error('Failed receiver membership validation for workspace');
-		}
+  if (!receiverMembership) {
+    throw new Error("Failed receiver membership validation for workspace");
+  }
 
-		await new Key({
-			encryptedKey: key.encryptedKey,
-			nonce: key.nonce,
-			sender: req.user._id,
-			receiver: key.userId,
-			workspace: workspaceId
-		}).save();
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload key to workspace'
-		});
-	}
+  await new Key({
+    encryptedKey: key.encryptedKey,
+    nonce: key.nonce,
+    sender: req.user._id,
+    receiver: key.userId,
+    workspace: workspaceId,
+  }).save();
 
 	return res.status(200).send({
-		message: 'Successfully uploaded key to workspace'
+		message: "Successfully uploaded key to workspace",
 	});
 };
 
@@ -52,31 +43,22 @@ export const uploadKey = async (req: Request, res: Response) => {
  * @returns
  */
 export const getLatestKey = async (req: Request, res: Response) => {
-	let latestKey;
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-		// get latest key
-		latestKey = await Key.find({
-			workspace: workspaceId,
-			receiver: req.user._id
-		})
-			.sort({ createdAt: -1 })
-			.limit(1)
-			.populate('sender', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get latest key'
-		});
-	}
+  // get latest key
+  const latestKey = await Key.find({
+    workspace: workspaceId,
+    receiver: req.user._id,
+  })
+    .sort({ createdAt: -1 })
+    .limit(1)
+    .populate("sender", "+publicKey");
 
 	const resObj: any = {};
 
 	if (latestKey.length > 0) {
-		resObj['latestKey'] = latestKey[0];
+		resObj["latestKey"] = latestKey[0];
 	}
 
 	return res.status(200).send(resObj);
-};
+};

backend/src/controllers/v1/membershipController.ts

@@ -1,13 +1,9 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import { Membership, MembershipOrg, User, Key } from '../../models';
-import {
-	findMembership,
-	deleteMembership as deleteMember
-} from '../../helpers/membership';
-import { sendMail } from '../../helpers/nodemailer';
-import { ADMIN, MEMBER, ACCEPTED } from '../../variables';
-import { getSiteURL } from '../../config';
+import { Request, Response } from "express";
+import { Key, Membership, MembershipOrg, User } from "../../models";
+import { deleteMembership as deleteMember, findMembership } from "../../helpers/membership";
+import { sendMail } from "../../helpers/nodemailer";
+import { ACCEPTED, ADMIN, MEMBER } from "../../variables";
+import { getSiteURL } from "../../config";
 
 /**
  * Check that user is a member of workspace with id [workspaceId]
@@ -16,29 +12,20 @@ import { getSiteURL } from '../../config';
  * @returns
  */
 export const validateMembership = async (req: Request, res: Response) => {
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
+  // validate membership
+  const membership = await findMembership({
+    user: req.user._id,
+    workspace: workspaceId
+  });
 
-		// validate membership
-		const membership = await findMembership({
-			user: req.user._id,
-			workspace: workspaceId
-		});
+  if (!membership) {
+    throw new Error("Failed to validate membership");
+  }
 
-		if (!membership) {
-			throw new Error('Failed to validate membership');
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed workspace connection check'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Workspace membership confirmed'
-	});
+  return res.status(200).send({
+    message: "Workspace membership confirmed"
+  });
 };
 
 /**
@@ -48,52 +35,41 @@ export const validateMembership = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteMembership = async (req: Request, res: Response) => {
-	let deletedMembership;
-	try {
-		const { membershipId } = req.params;
+  const { membershipId } = req.params;
 
-		// check if membership to delete exists
-		const membershipToDelete = await Membership.findOne({
-			_id: membershipId
-		}).populate('user');
+  // check if membership to delete exists
+  const membershipToDelete = await Membership.findOne({
+    _id: membershipId
+  }).populate("user");
 
-		if (!membershipToDelete) {
-			throw new Error(
-				"Failed to delete workspace membership that doesn't exist"
-			);
-		}
+  if (!membershipToDelete) {
+    throw new Error("Failed to delete workspace membership that doesn't exist");
+  }
 
-		// check if user is a member and admin of the workspace
-		// whose membership we wish to delete
-		const membership = await Membership.findOne({
-			user: req.user._id,
-			workspace: membershipToDelete.workspace
-		});
+  // check if user is a member and admin of the workspace
+  // whose membership we wish to delete
+  const membership = await Membership.findOne({
+    user: req.user._id,
+    workspace: membershipToDelete.workspace
+  });
 
-		if (!membership) {
-			throw new Error('Failed to validate workspace membership');
-		}
+  if (!membership) {
+    throw new Error("Failed to validate workspace membership");
+  }
 
-		if (membership.role !== ADMIN) {
-			// user is not an admin member of the workspace
-			throw new Error('Insufficient role for deleting workspace membership');
-		}
+  if (membership.role !== ADMIN) {
+    // user is not an admin member of the workspace
+    throw new Error("Insufficient role for deleting workspace membership");
+  }
 
-		// delete workspace membership
-		deletedMembership = await deleteMember({
-			membershipId: membershipToDelete._id.toString()
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete membership'
-		});
-	}
+  // delete workspace membership
+  const deletedMembership = await deleteMember({
+    membershipId: membershipToDelete._id.toString()
+  });
 
-	return res.status(200).send({
-		deletedMembership
-	});
+  return res.status(200).send({
+    deletedMembership
+  });
 };
 
 /**
@@ -103,53 +79,44 @@ export const deleteMembership = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeMembershipRole = async (req: Request, res: Response) => {
-	let membershipToChangeRole;
-	try {
-		const { membershipId } = req.params;
-		const { role } = req.body;
+  const { membershipId } = req.params;
+  const { role } = req.body;
 
-		if (![ADMIN, MEMBER].includes(role)) {
-			throw new Error('Failed to validate role');
-		}
+  if (![ADMIN, MEMBER].includes(role)) {
+    throw new Error("Failed to validate role");
+  }
 
-		// validate target membership
-		membershipToChangeRole = await findMembership({
-			_id: membershipId
-		});
+  // validate target membership
+  const membershipToChangeRole = await findMembership({
+    _id: membershipId
+  });
 
-		if (!membershipToChangeRole) {
-			throw new Error('Failed to find membership to change role');
-		}
+  if (!membershipToChangeRole) {
+    throw new Error("Failed to find membership to change role");
+  }
 
-		// check if user is a member and admin of target membership's
-		// workspace
-		const membership = await findMembership({
-			user: req.user._id,
-			workspace: membershipToChangeRole.workspace
-		});
+  // check if user is a member and admin of target membership's
+  // workspace
+  const membership = await findMembership({
+    user: req.user._id,
+    workspace: membershipToChangeRole.workspace
+  });
 
-		if (!membership) {
-			throw new Error('Failed to validate membership');
-		}
+  if (!membership) {
+    throw new Error("Failed to validate membership");
+  }
 
-		if (membership.role !== ADMIN) {
-			// user is not an admin member of the workspace
-			throw new Error('Insufficient role for changing member roles');
-		}
+  if (membership.role !== ADMIN) {
+    // user is not an admin member of the workspace
+    throw new Error("Insufficient role for changing member roles");
+  }
 
-		membershipToChangeRole.role = role;
-		await membershipToChangeRole.save();
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change membership role'
-		});
-	}
+  membershipToChangeRole.role = role;
+  await membershipToChangeRole.save();
 
-	return res.status(200).send({
-		membership: membershipToChangeRole
-	});
+  return res.status(200).send({
+    membership: membershipToChangeRole
+  });
 };
 
 /**
@@ -159,75 +126,63 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToWorkspace = async (req: Request, res: Response) => {
-	let invitee, latestKey;
-	try {
-		const { workspaceId } = req.params;
-		const { email }: { email: string } = req.body;
+  const { workspaceId } = req.params;
+  const { email }: { email: string } = req.body;
 
-		invitee = await User.findOne({
-			email
-		}).select('+publicKey');
+  const invitee = await User.findOne({
+    email
+  }).select("+publicKey");
 
-		if (!invitee || !invitee?.publicKey)
-			throw new Error('Failed to validate invitee');
+  if (!invitee || !invitee?.publicKey) throw new Error("Failed to validate invitee");
 
-		// validate invitee's workspace membership - ensure member isn't
-		// already a member of the workspace
-		const inviteeMembership = await Membership.findOne({
-			user: invitee._id,
-			workspace: workspaceId
-		});
+  // validate invitee's workspace membership - ensure member isn't
+  // already a member of the workspace
+  const inviteeMembership = await Membership.findOne({
+    user: invitee._id,
+    workspace: workspaceId
+  });
 
-		if (inviteeMembership)
-			throw new Error('Failed to add existing member of workspace');
+  if (inviteeMembership) throw new Error("Failed to add existing member of workspace");
 
-		// validate invitee's organization membership - ensure that only
-		// (accepted) organization members can be added to the workspace
-		const membershipOrg = await MembershipOrg.findOne({
-			user: invitee._id,
-			organization: req.membership.workspace.organization,
-			status: ACCEPTED
-		});
+  // validate invitee's organization membership - ensure that only
+  // (accepted) organization members can be added to the workspace
+  const membershipOrg = await MembershipOrg.findOne({
+    user: invitee._id,
+    organization: req.membership.workspace.organization,
+    status: ACCEPTED
+  });
 
-		if (!membershipOrg)
-			throw new Error("Failed to validate invitee's organization membership");
+  if (!membershipOrg) throw new Error("Failed to validate invitee's organization membership");
 
-		// get latest key
-		latestKey = await Key.findOne({
-			workspace: workspaceId,
-			receiver: req.user._id
-		})
-			.sort({ createdAt: -1 })
-			.populate('sender', '+publicKey');
+  // get latest key
+  const latestKey = await Key.findOne({
+    workspace: workspaceId,
+    receiver: req.user._id
+  })
+    .sort({ createdAt: -1 })
+    .populate("sender", "+publicKey");
 
-		// create new workspace membership
-		const m = await new Membership({
-			user: invitee._id,
-			workspace: workspaceId,
-			role: MEMBER
-		}).save();
+  // create new workspace membership
+  await new Membership({
+    user: invitee._id,
+    workspace: workspaceId,
+    role: MEMBER
+  }).save();
 
-		await sendMail({
-			template: 'workspaceInvitation.handlebars',
-			subjectLine: 'Infisical workspace invitation',
-			recipients: [invitee.email],
-			substitutions: {
-				inviterFirstName: req.user.firstName,
-				inviterEmail: req.user.email,
-				workspaceName: req.membership.workspace.name,
-				callback_url: (await getSiteURL()) + '/login'
-			}
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to invite user to workspace'
-		});
-	}
+  await sendMail({
+    template: "workspaceInvitation.handlebars",
+    subjectLine: "Infisical workspace invitation",
+    recipients: [invitee.email],
+    substitutions: {
+      inviterFirstName: req.user.firstName,
+      inviterEmail: req.user.email,
+      workspaceName: req.membership.workspace.name,
+      callback_url: (await getSiteURL()) + "/login"
+    }
+  });
 
-	return res.status(200).send({
-		invitee,
-		latestKey
-	});
-};
+  return res.status(200).send({
+    invitee,
+    latestKey
+  });
+};

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,14 +1,27 @@
-import { Types } from 'mongoose';
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { MembershipOrg, Organization, User } from '../../models';
-import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
-import { createToken } from '../../helpers/auth';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+import { Types } from "mongoose";
+import { Request, Response } from "express";
+import { MembershipOrg, Organization, User } from "../../models";
+import { deleteMembershipOrg as deleteMemberFromOrg } from "../../helpers/membershipOrg";
+import { createToken } from "../../helpers/auth";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELicenseService } from "../../ee/services";
+import {
+  ACCEPTED,
+  ADMIN,
+  INVITED,
+  MEMBER,
+  OWNER,
+  TOKEN_EMAIL_ORG_INVITATION
+} from "../../variables";
+import {
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSiteURL,
+  getSmtpConfigured
+} from "../../config";
+import { validateUserEmail } from "../../validation";
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -16,55 +29,44 @@ import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured
  * @param res
  * @returns
  */
-export const deleteMembershipOrg = async (req: Request, res: Response) => {
-	let membershipOrgToDelete;
-	try {
-		const { membershipOrgId } = req.params;
+export const deleteMembershipOrg = async (req: Request, _res: Response) => {
+  const { membershipOrgId } = req.params;
 
-		// check if organization membership to delete exists
-		membershipOrgToDelete = await MembershipOrg.findOne({
-			_id: membershipOrgId
-		}).populate('user');
+  // check if organization membership to delete exists
+  const membershipOrgToDelete = await MembershipOrg.findOne({
+    _id: membershipOrgId
+  }).populate("user");
 
-		if (!membershipOrgToDelete) {
-			throw new Error(
-				"Failed to delete organization membership that doesn't exist"
-			);
-		}
+  if (!membershipOrgToDelete) {
+    throw new Error("Failed to delete organization membership that doesn't exist");
+  }
 
-		// check if user is a member and admin of the organization
-		// whose membership we wish to delete
-		const membershipOrg = await MembershipOrg.findOne({
-			user: req.user._id,
-			organization: membershipOrgToDelete.organization
-		});
+  // check if user is a member and admin of the organization
+  // whose membership we wish to delete
+  const membershipOrg = await MembershipOrg.findOne({
+    user: req.user._id,
+    organization: membershipOrgToDelete.organization
+  });
 
-		if (!membershipOrg) {
-			throw new Error('Failed to validate organization membership');
-		}
+  if (!membershipOrg) {
+    throw new Error("Failed to validate organization membership");
+  }
 
-		if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
-			// user is not an admin member of the organization
-			throw new Error('Insufficient role for deleting organization membership');
-		}
+  if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
+    // user is not an admin member of the organization
+    throw new Error("Insufficient role for deleting organization membership");
+  }
 
-		// delete organization membership
-		const deletedMembershipOrg = await deleteMemberFromOrg({
-			membershipOrgId: membershipOrgToDelete._id.toString()
-		});
+  // delete organization membership
+  await deleteMemberFromOrg({
+    membershipOrgId: membershipOrgToDelete._id.toString()
+  });
 
-		await updateSubscriptionOrgQuantity({
-			organizationId: membershipOrg.organization.toString()
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization membership'
-		});
-	}
+  await updateSubscriptionOrgQuantity({
+    organizationId: membershipOrg.organization.toString()
+  });
 
-	return membershipOrgToDelete;
+  return membershipOrgToDelete;
 };
 
 /**
@@ -74,22 +76,14 @@ export const deleteMembershipOrg = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeMembershipOrgRole = async (req: Request, res: Response) => {
-	// change role for (target) organization membership with id
-	// [membershipOrgId]
+  // change role for (target) organization membership with id
+  // [membershipOrgId]
 
-	let membershipToChangeRole;
-	// try {
-	// } catch (err) {
-	// 	Sentry.setUser({ email: req.user.email });
-	// 	Sentry.captureException(err);
-	// 	return res.status(400).send({
-	// 		message: 'Failed to change organization membership role'
-	// 	});
-	// }
+  let membershipToChangeRole;
 
-	return res.status(200).send({
-		membershipOrg: membershipToChangeRole
-	});
+  return res.status(200).send({
+    membershipOrg: membershipToChangeRole
+  });
 };
 
 /**
@@ -100,112 +94,119 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
-	let invitee, inviteeMembershipOrg, completeInviteLink;
-	try {
-		const { organizationId, inviteeEmail } = req.body;
-		const host = req.headers.host;
-		const siteUrl = `${req.protocol}://${host}`;
+  let inviteeMembershipOrg, completeInviteLink;
+  const { organizationId, inviteeEmail } = req.body;
+  const host = req.headers.host;
+  const siteUrl = `${req.protocol}://${host}`;
 
-		// validate membership
-		const membershipOrg = await MembershipOrg.findOne({
-			user: req.user._id,
-			organization: organizationId
-		});
+  // validate membership
+  const membershipOrg = await MembershipOrg.findOne({
+    user: req.user._id,
+    organization: organizationId
+  });
 
-		if (!membershipOrg) {
-			throw new Error('Failed to validate organization membership');
-		}
+  if (!membershipOrg) {
+    throw new Error("Failed to validate organization membership");
+  }
 
-		invitee = await User.findOne({
-			email: inviteeEmail
-		}).select('+publicKey');
+  const plan = await EELicenseService.getPlan(organizationId);
 
-		if (invitee) {
-			// case: invitee is an existing user
+  if (plan.memberLimit !== null) {
+    // case: limit imposed on number of members allowed
 
-			inviteeMembershipOrg = await MembershipOrg.findOne({
-				user: invitee._id,
-				organization: organizationId
-			});
+    if (plan.membersUsed >= plan.memberLimit) {
+      // case: number of members used exceeds the number of members allowed
+      return res.status(400).send({
+        message:
+          "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
+      });
+    }
+  }
 
-			if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
-				throw new Error(
-					'Failed to invite an existing member of the organization'
-				);
-			}
+  const invitee = await User.findOne({
+    email: inviteeEmail
+  }).select("+publicKey");
 
-			if (!inviteeMembershipOrg) {
-				
-				await new MembershipOrg({
-					user: invitee,
-					inviteEmail: inviteeEmail,
-					organization: organizationId,
-					role: MEMBER,
-					status: INVITED
-				}).save();
-			}
-		} else {
-			// check if invitee has been invited before
-			inviteeMembershipOrg = await MembershipOrg.findOne({
-				inviteEmail: inviteeEmail,
-				organization: organizationId
-			});
+  if (invitee) {
+    // case: invitee is an existing user
 
-			if (!inviteeMembershipOrg) {
-				// case: invitee has never been invited before
+    inviteeMembershipOrg = await MembershipOrg.findOne({
+      user: invitee._id,
+      organization: organizationId
+    });
 
-				await new MembershipOrg({
-					inviteEmail: inviteeEmail,
-					organization: organizationId,
-					role: MEMBER,
-					status: INVITED
-				}).save();
-			}
-		}
+    if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
+      throw new Error("Failed to invite an existing member of the organization");
+    }
 
-		const organization = await Organization.findOne({ _id: organizationId });
+    if (!inviteeMembershipOrg) {
+      await new MembershipOrg({
+        user: invitee,
+        inviteEmail: inviteeEmail,
+        organization: organizationId,
+        role: MEMBER,
+        status: INVITED
+      }).save();
+    }
+  } else {
+    // check if invitee has been invited before
+    inviteeMembershipOrg = await MembershipOrg.findOne({
+      inviteEmail: inviteeEmail,
+      organization: organizationId
+    });
 
-		if (organization) {
+    if (!inviteeMembershipOrg) {
+      // case: invitee has never been invited before
 
-			const token = await TokenService.createToken({
-				type: TOKEN_EMAIL_ORG_INVITATION,
-				email: inviteeEmail,
-				organizationId: organization._id
-			});
+      // validate that email is not disposable
+      validateUserEmail(inviteeEmail);
 
-			await sendMail({
-				template: 'organizationInvitation.handlebars',
-				subjectLine: 'Infisical organization invitation',
-				recipients: [inviteeEmail],
-				substitutions: {
-					inviterFirstName: req.user.firstName,
-					inviterEmail: req.user.email,
-					organizationName: organization.name,
-					email: inviteeEmail,
-					organizationId: organization._id.toString(),
-					token,
-					callback_url: (await getSiteURL()) + '/signupinvite'
-				}
-			});
+      await new MembershipOrg({
+        inviteEmail: inviteeEmail,
+        organization: organizationId,
+        role: MEMBER,
+        status: INVITED
+      }).save();
+    }
+  }
 
-			if (!(await getSmtpConfigured())) {
-				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
-			}
-		}
+  const organization = await Organization.findOne({ _id: organizationId });
 
-		await updateSubscriptionOrgQuantity({ organizationId });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to send organization invite'
-		});
-	}
+  if (organization) {
+    const token = await TokenService.createToken({
+      type: TOKEN_EMAIL_ORG_INVITATION,
+      email: inviteeEmail,
+      organizationId: organization._id
+    });
 
-	return res.status(200).send({
-		message: `Sent an invite link to ${req.body.inviteeEmail}`,
-		completeInviteLink
-	});
+    await sendMail({
+      template: "organizationInvitation.handlebars",
+      subjectLine: "Infisical organization invitation",
+      recipients: [inviteeEmail],
+      substitutions: {
+        inviterFirstName: req.user.firstName,
+        inviterEmail: req.user.email,
+        organizationName: organization.name,
+        email: inviteeEmail,
+        organizationId: organization._id.toString(),
+        token,
+        callback_url: (await getSiteURL()) + "/signupinvite"
+      }
+    });
+
+    if (!(await getSmtpConfigured())) {
+      completeInviteLink = `${
+        siteUrl + "/signupinvite"
+      }?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`;
+    }
+  }
+
+  await updateSubscriptionOrgQuantity({ organizationId });
+
+  return res.status(200).send({
+    message: `Sent an invite link to ${req.body.inviteeEmail}`,
+    completeInviteLink
+  });
 };
 
 /**
@@ -216,74 +217,61 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
-	let user, token;
-	try {
-		const {
-			email,
-			organizationId,
-			code
-		} = req.body;
+  let user;
+  const { email, organizationId, code } = req.body;
 
-		user = await User.findOne({ email }).select('+publicKey');
+  user = await User.findOne({ email }).select("+publicKey");
 
-		const membershipOrg = await MembershipOrg.findOne({
-			inviteEmail: email,
-			status: INVITED,
-			organization: new Types.ObjectId(organizationId)
-		});
+  const membershipOrg = await MembershipOrg.findOne({
+    inviteEmail: email,
+    status: INVITED,
+    organization: new Types.ObjectId(organizationId)
+  });
 
-		if (!membershipOrg)
-			throw new Error('Failed to find any invitations for email');
+  if (!membershipOrg) throw new Error("Failed to find any invitations for email");
 
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_ORG_INVITATION,
-			email,
-			organizationId: membershipOrg.organization,
-			token: code
-		});
+  await TokenService.validateToken({
+    type: TOKEN_EMAIL_ORG_INVITATION,
+    email,
+    organizationId: membershipOrg.organization,
+    token: code
+  });
 
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			// membership can be approved and redirected to login/dashboard
-			membershipOrg.status = ACCEPTED;
-			await membershipOrg.save();
-			
-			await updateSubscriptionOrgQuantity({
-				organizationId
-			});
+  if (user && user?.publicKey) {
+    // case: user has already completed account
+    // membership can be approved and redirected to login/dashboard
+    membershipOrg.status = ACCEPTED;
+    await membershipOrg.save();
 
-			return res.status(200).send({
-				message: 'Successfully verified email',
-				user,
-			});
-		}
+    await updateSubscriptionOrgQuantity({
+      organizationId
+    });
 
-		if (!user) {
-			// initialize user account
-			user = await new User({
-				email
-			}).save();
-		}
+    return res.status(200).send({
+      message: "Successfully verified email",
+      user
+    });
+  }
 
-		// generate temporary signup token
-		token = createToken({
-			payload: {
-				userId: user._id.toString()
-			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed email magic link verification for organization invitation'
-		});
-	}
+  if (!user) {
+    // initialize user account
+    user = await new User({
+      email
+    }).save();
+  }
 
-	return res.status(200).send({
-		message: 'Successfully verified email',
-		user,
-		token
-	});
+  // generate temporary signup token
+  const token = createToken({
+    payload: {
+      userId: user._id.toString()
+    },
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
+  });
+
+  return res.status(200).send({
+    message: "Successfully verified email",
+    user,
+    token
+  });
 };

backend/src/controllers/v1/organizationController.ts

@@ -1,38 +1,27 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import Stripe from 'stripe';
+import { Request, Response } from "express";
 import {
+	IncidentContactOrg,
 	Membership,
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg
-} from '../../models';
-import { createOrganization as create } from '../../helpers/organization';
-import { addMembershipsOrg } from '../../helpers/membershipOrg';
-import { OWNER, ACCEPTED } from '../../variables';
-import _ from 'lodash';
-import { getStripeSecretKey, getSiteURL } from '../../config';
+} from "../../models";
+import { createOrganization as create } from "../../helpers/organization";
+import { addMembershipsOrg } from "../../helpers/membershipOrg";
+import { ACCEPTED, OWNER } from "../../variables";
+import { getSiteURL, getLicenseServerUrl } from "../../config";
+import { licenseServerKeyRequest } from "../../config/request";
 
 export const getOrganizations = async (req: Request, res: Response) => {
-	let organizations;
-	try {
-		organizations = (
-			await MembershipOrg.find({
-				user: req.user._id,
-				status: ACCEPTED
-			}).populate('organization')
-		).map((m) => m.organization);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organizations'
-		});
-	}
+  const organizations = (
+    await MembershipOrg.find({
+      user: req.user._id,
+      status: ACCEPTED,
+    }).populate("organization")
+  ).map((m) => m.organization);
 
 	return res.status(200).send({
-		organizations
+		organizations,
 	});
 };
 
@@ -44,36 +33,27 @@ export const getOrganizations = async (req: Request, res: Response) => {
  * @returns
  */
 export const createOrganization = async (req: Request, res: Response) => {
-	let organization;
-	try {
-		const { organizationName } = req.body;
+  const { organizationName } = req.body;
 
-		if (organizationName.length < 1) {
-			throw new Error('Organization names must be at least 1-character long');
-		}
+  if (organizationName.length < 1) {
+    throw new Error("Organization names must be at least 1-character long");
+  }
 
-		// create organization and add user as member
-		organization = await create({
-			email: req.user.email,
-			name: organizationName
-		});
+  // create organization and add user as member
+  const organization = await create({
+    email: req.user.email,
+    name: organizationName,
+  });
 
-		await addMembershipsOrg({
-			userIds: [req.user._id.toString()],
-			organizationId: organization._id.toString(),
-			roles: [OWNER],
-			statuses: [ACCEPTED]
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create organization'
-		});
-	}
+  await addMembershipsOrg({
+    userIds: [req.user._id.toString()],
+    organizationId: organization._id.toString(),
+    roles: [OWNER],
+    statuses: [ACCEPTED],
+  });
 
 	return res.status(200).send({
-		organization
+		organization,
 	});
 };
 
@@ -84,19 +64,9 @@ export const createOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const getOrganization = async (req: Request, res: Response) => {
-	let organization;
-	try {
-		organization = req.organization
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to find organization'
-		});
-	}
-
+	const organization = req.organization
 	return res.status(200).send({
-		organization
+		organization,
 	});
 };
 
@@ -107,23 +77,14 @@ export const getOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const getOrganizationMembers = async (req: Request, res: Response) => {
-	let users;
-	try {
-		const { organizationId } = req.params;
+  const { organizationId } = req.params;
 
-		users = await MembershipOrg.find({
-			organization: organizationId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization members'
-		});
-	}
+  const users = await MembershipOrg.find({
+    organization: organizationId,
+  }).populate("user", "+publicKey");
 
 	return res.status(200).send({
-		users
+		users,
 	});
 };
 
@@ -137,38 +98,29 @@ export const getOrganizationWorkspaces = async (
 	req: Request,
 	res: Response
 ) => {
-	let workspaces;
-	try {
-		const { organizationId } = req.params;
+  const { organizationId } = req.params;
 
-		const workspacesSet = new Set(
-			(
-				await Workspace.find(
-					{
-						organization: organizationId
-					},
-					'_id'
-				)
-			).map((w) => w._id.toString())
-		);
+  const workspacesSet = new Set(
+    (
+      await Workspace.find(
+        {
+          organization: organizationId,
+        },
+        "_id"
+      )
+    ).map((w) => w._id.toString())
+  );
 
-		workspaces = (
-			await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
-		)
-			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
-			.map((m) => m.workspace);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get my workspaces'
-		});
-	}
+  const workspaces = (
+    await Membership.find({
+      user: req.user._id,
+    }).populate("workspace")
+  )
+    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+    .map((m) => m.workspace);
 
 	return res.status(200).send({
-		workspaces
+		workspaces,
 	});
 };
 
@@ -179,33 +131,24 @@ export const getOrganizationWorkspaces = async (
  * @returns
  */
 export const changeOrganizationName = async (req: Request, res: Response) => {
-	let organization;
-	try {
-		const { organizationId } = req.params;
-		const { name } = req.body;
+  const { organizationId } = req.params;
+  const { name } = req.body;
 
-		organization = await Organization.findOneAndUpdate(
-			{
-				_id: organizationId
-			},
-			{
-				name
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change organization name'
-		});
-	}
+  const organization = await Organization.findOneAndUpdate(
+    {
+      _id: organizationId,
+    },
+    {
+      name,
+    },
+    {
+      new: true,
+    }
+  );
 
 	return res.status(200).send({
-		message: 'Successfully changed organization name',
-		organization
+		message: "Successfully changed organization name",
+		organization,
 	});
 };
 
@@ -219,23 +162,14 @@ export const getOrganizationIncidentContacts = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactsOrg;
-	try {
-		const { organizationId } = req.params;
+  const { organizationId } = req.params;
 
-		incidentContactsOrg = await IncidentContactOrg.find({
-			organization: organizationId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization incident contacts'
-		});
-	}
+  const incidentContactsOrg = await IncidentContactOrg.find({
+    organization: organizationId,
+  });
 
 	return res.status(200).send({
-		incidentContactsOrg
+		incidentContactsOrg,
 	});
 };
 
@@ -249,26 +183,17 @@ export const addOrganizationIncidentContact = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactOrg;
-	try {
-		const { organizationId } = req.params;
-		const { email } = req.body;
+  const { organizationId } = req.params;
+  const { email } = req.body;
 
-		incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
-			{ email, organization: organizationId },
-			{ email, organization: organizationId },
-			{ upsert: true, new: true }
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to add incident contact for organization'
-		});
-	}
+  const incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
+    { email, organization: organizationId },
+    { email, organization: organizationId },
+    { upsert: true, new: true }
+  );
 
 	return res.status(200).send({
-		incidentContactOrg
+		incidentContactOrg,
 	});
 };
 
@@ -282,31 +207,22 @@ export const deleteOrganizationIncidentContact = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactOrg;
-	try {
-		const { organizationId } = req.params;
-		const { email } = req.body;
+  const { organizationId } = req.params;
+  const { email } = req.body;
 
-		incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
-			email,
-			organization: organizationId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization incident contact'
-		});
-	}
+  const incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
+    email,
+    organization: organizationId,
+  });
 
 	return res.status(200).send({
-		message: 'Successfully deleted organization incident contact',
-		incidentContactOrg
+		message: "Successfully deleted organization incident contact",
+		incidentContactOrg,
 	});
 };
 
 /**
- * Redirect user to (stripe) billing portal or add card page depending on
+ * Redirect user to billing portal or add card page depending on
  * if there is a card on file
  * @param req
  * @param res
@@ -316,42 +232,32 @@ export const createOrganizationPortalSession = async (
 	req: Request,
 	res: Response
 ) => {
-	let session;
-	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
-		// check if there is a payment method on file
-		const paymentMethods = await stripe.paymentMethods.list({
-			customer: req.organization.customerId,
-			type: 'card'
-		});
-		
-		if (paymentMethods.data.length < 1) {
-			// case: no payment method on file
-			session = await stripe.checkout.sessions.create({
-				customer: req.organization.customerId,
-				mode: 'setup',
-				payment_method_types: ['card'],
-				success_url: (await getSiteURL()) + '/dashboard',
-				cancel_url: (await getSiteURL()) + '/dashboard'
-			});
-		} else {
-			session = await stripe.billingPortal.sessions.create({
-				customer: req.organization.customerId,
-				return_url: (await getSiteURL()) + '/dashboard'
-			});
-		}
-
-		return res.status(200).send({ url: session.url });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to redirect to organization billing portal'
-		});
-	}
+  const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
+    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+  );
+  
+  if (pmtMethods.length < 1) {
+    // case: organization has no payment method on file
+    // -> redirect to add payment method portal 
+    const { data: { url } } = await licenseServerKeyRequest.post(
+      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+      {
+        success_url: (await getSiteURL()) + "/dashboard",
+        cancel_url: (await getSiteURL()) + "/dashboard"
+      }
+    );
+    return res.status(200).send({ url });
+  } else {
+    // case: organization has payment method on file
+    // -> redirect to billing portal
+    const { data: { url } } = await licenseServerKeyRequest.post(
+      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/billing-portal`,
+      {
+        return_url: (await getSiteURL()) + "/dashboard"
+      }
+    );
+    return res.status(200).send({ url });
+  }
 };
 
 /**
@@ -364,25 +270,8 @@ export const getOrganizationSubscriptions = async (
 	req: Request,
 	res: Response
 ) => {
-	let subscriptions;
-	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-		
-		subscriptions = await stripe.subscriptions.list({
-			customer: req.organization.customerId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization subscriptions'
-		});
-	}
-
 	return res.status(200).send({
-		subscriptions
+		subscriptions: []
 	});
 };
 
@@ -402,16 +291,16 @@ export const getOrganizationMembersAndTheirWorkspaces = async (
 	const workspacesSet = (
 			await Workspace.find(
 				{
-					organization: organizationId
+					organization: organizationId,
 				},
-				'_id'
+				"_id"
 			)
 		).map((w) => w._id.toString());
 
 	const memberships = (
 		await Membership.find({
-			workspace: { $in: workspacesSet }
-		}).populate('workspace')
+			workspace: { $in: workspacesSet },
+		}).populate("workspace")
 	);
 	const userToWorkspaceIds: any = {};
 
@@ -425,4 +314,4 @@ export const getOrganizationMembersAndTheirWorkspaces = async (
 	});
 
 	return res.json(userToWorkspaceIds);
-};
+};

backend/src/controllers/v1/passwordController.ts

@@ -1,113 +1,98 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const jsrp = require('jsrp');
-import * as bigintConversion from 'bigint-conversion';
-import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
-import { BadRequestError } from '../../utils/errors';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
+const jsrp = require("jsrp");
+import * as bigintConversion from "bigint-conversion";
+import { BackupPrivateKey, LoginSRPDetail, User } from "../../models";
+import { clearTokens, createToken, sendMail } from "../../helpers";
+import { TokenService } from "../../services";
+import { AUTH_MODE_JWT, TOKEN_EMAIL_PASSWORD_RESET } from "../../variables";
+import { BadRequestError } from "../../utils/errors";
+import {
+  getHttpsEnabled,
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSiteURL
+} from "../../config";
 
 /**
- * Password reset step 1: Send email verification link to email [email] 
+ * Password reset step 1: Send email verification link to email [email]
  * for account recovery.
  * @param req
  * @param res
  * @returns
  */
 export const emailPasswordReset = async (req: Request, res: Response) => {
-	let email: string;
-	try {
-		email = req.body.email;
+  const email: string = req.body.email;
 
-		const user = await User.findOne({ email }).select('+publicKey');
-		if (!user || !user?.publicKey) {
-			// case: user has already completed account
+  const user = await User.findOne({ email }).select("+publicKey");
+  if (!user || !user?.publicKey) {
+    // case: user has already completed account
 
-			return res.status(403).send({
-				error: 'Failed to send email verification for password reset'
-			});
-		}
-		
-		const token = await TokenService.createToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email
-		});
-		
-		await sendMail({
-			template: 'passwordReset.handlebars',
-			subjectLine: 'Infisical password reset',
-			recipients: [email],
-			substitutions: {
-				email,
-				token,
-				callback_url: (await getSiteURL()) + '/password-reset'
-			}
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to send email for account recovery'
-		});
-	}
+    return res.status(200).send({
+      message: "If an account exists with this email, a password reset link has been sent"
+    });
+  }
 
-	return res.status(200).send({
-		message: `Sent an email for account recovery to ${email}`
-	});
-}
+  const token = await TokenService.createToken({
+    type: TOKEN_EMAIL_PASSWORD_RESET,
+    email
+  });
+
+  await sendMail({
+    template: "passwordReset.handlebars",
+    subjectLine: "Infisical password reset",
+    recipients: [email],
+    substitutions: {
+      email,
+      token,
+      callback_url: (await getSiteURL()) + "/password-reset"
+    }
+  });
+
+  return res.status(200).send({
+    message: "If an account exists with this email, a password reset link has been sent"
+  });
+};
 
 /**
  * Password reset step 2: Verify email verification link sent to email [email]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const emailPasswordResetVerify = async (req: Request, res: Response) => {
-	let user, token;
-	try {
-		const { email, code } = req.body;
+  const { email, code } = req.body;
 
-		user = await User.findOne({ email }).select('+publicKey');
-		if (!user || !user?.publicKey) {
-			// case: user doesn't exist with email [email] or 
-			// hasn't even completed their account
-			return res.status(403).send({
-				error: 'Failed email verification for password reset'
-			});
-		}
-		
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email,
-			token: code
-		});
+  const user = await User.findOne({ email }).select("+publicKey");
+  if (!user || !user?.publicKey) {
+    // case: user doesn't exist with email [email] or
+    // hasn't even completed their account
+    return res.status(403).send({
+      error: "Failed email verification for password reset"
+    });
+  }
 
-		// generate temporary password-reset token
-		token = createToken({
-			payload: {
-				userId: user._id.toString()
-			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed email verification for password reset'
-		});
-	}
+  await TokenService.validateToken({
+    type: TOKEN_EMAIL_PASSWORD_RESET,
+    email,
+    token: code
+  });
 
-	return res.status(200).send({
-		message: 'Successfully verified email',
-		user,
-		token
-	});
-}
+  // generate temporary password-reset token
+  const token = createToken({
+    payload: {
+      userId: user._id.toString()
+    },
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
+  });
+
+  return res.status(200).send({
+    message: "Successfully verified email",
+    user,
+    token
+  });
+};
 
 /**
  * Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
@@ -116,44 +101,41 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
  * @returns
  */
 export const srp1 = async (req: Request, res: Response) => {
-	// return salt, serverPublicKey as part of first step of SRP protocol
-	try {
-		const { clientPublicKey } = req.body;
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
+  // return salt, serverPublicKey as part of first step of SRP protocol
 
-		if (!user) throw new Error('Failed to find user');
+  const { clientPublicKey } = req.body;
+  const user = await User.findOne({
+    email: req.user.email
+  }).select("+salt +verifier");
 
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier
-			},
-			async () => {
-				// generate server-side public key
-				const serverPublicKey = server.getPublicKey();
+  if (!user) throw new Error("Failed to find user");
 
-				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
-					email: req.user.email,
-					clientPublicKey: clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt),
-				}, { upsert: true, returnNewDocument: false })
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier
+    },
+    async () => {
+      // generate server-side public key
+      const serverPublicKey = server.getPublicKey();
 
-				return res.status(200).send({
-					serverPublicKey,
-					salt: user.salt
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to start change password process'
-		});
-	}
+      await LoginSRPDetail.findOneAndReplace(
+        { email: req.user.email },
+        {
+          email: req.user.email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt)
+        },
+        { upsert: true, returnNewDocument: false }
+      );
+
+      return res.status(200).send({
+        serverPublicKey,
+        salt: user.salt
+      });
+    }
+  );
 };
 
 /**
@@ -165,80 +147,93 @@ export const srp1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const changePassword = async (req: Request, res: Response) => {
-	try {
-		const { 
-			clientProof, 
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
+  const {
+    clientProof,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier
+  } = req.body;
 
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
+  const user = await User.findOne({
+    email: req.user.email
+  }).select("+salt +verifier");
 
-		if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email });
 
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
+  if (!loginSRPDetailFromDB) {
+    return BadRequestError(
+      Error(
+        "It looks like some details from the first login are not found. Please try login one again"
+      )
+    );
+  }
 
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
-			},
-			async () => {
-				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+      b: loginSRPDetailFromDB.serverBInt
+    },
+    async () => {
+      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
-				// compare server and client shared keys
-				if (server.checkClientProof(clientProof)) {
-					// change password
+      // compare server and client shared keys
+      if (server.checkClientProof(clientProof)) {
+        // change password
 
-					await User.findByIdAndUpdate(
-						req.user._id.toString(),
-						{
-							encryptionVersion: 2,
-							protectedKey,
-							protectedKeyIV,
-							protectedKeyTag,
-							encryptedPrivateKey,
-							iv: encryptedPrivateKeyIV,
-							tag: encryptedPrivateKeyTag,
-							salt,
-							verifier
-						},
-						{
-							new: true
-						}
-					);
+        await User.findByIdAndUpdate(
+          req.user._id.toString(),
+          {
+            encryptionVersion: 2,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+            encryptedPrivateKey,
+            iv: encryptedPrivateKeyIV,
+            tag: encryptedPrivateKeyTag,
+            salt,
+            verifier
+          },
+          {
+            new: true
+          }
+        );
 
-					return res.status(200).send({
-						message: 'Successfully changed password'
-					});
-				}
+        if (
+          req.authData.authMode === AUTH_MODE_JWT &&
+          req.authData.authPayload instanceof User &&
+          req.authData.tokenVersionId
+        ) {
+          await clearTokens(req.authData.tokenVersionId);
+        }
 
-				return res.status(400).send({
-					error: 'Failed to change password. Try again?'
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to change password. Try again?'
-		});
-	}
+        // clear httpOnly cookie
+
+        res.cookie("jid", "", {
+          httpOnly: true,
+          path: "/",
+          sameSite: "strict",
+          secure: (await getHttpsEnabled()) as boolean
+        });
+
+        return res.status(200).send({
+          message: "Successfully changed password"
+        });
+      }
+
+      return res.status(400).send({
+        error: "Failed to change password. Try again?"
+      });
+    }
+  );
 };
 
 /**
@@ -248,141 +243,117 @@ export const changePassword = async (req: Request, res: Response) => {
  * @returns
  */
 export const createBackupPrivateKey = async (req: Request, res: Response) => {
-	// create/change backup private key
-	// requires verifying [clientProof] as part of second step of SRP protocol
-	// as initiated in /srp1
+  // create/change backup private key
+  // requires verifying [clientProof] as part of second step of SRP protocol
+  // as initiated in /srp1
 
-	try {
-		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
-			req.body;
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
+  const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } = req.body;
+  const user = await User.findOne({
+    email: req.user.email
+  }).select("+salt +verifier");
 
-		if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email });
 
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
+  if (!loginSRPDetailFromDB) {
+    return BadRequestError(
+      Error(
+        "It looks like some details from the first login are not found. Please try login one again"
+      )
+    );
+  }
 
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
-			},
-			async () => {
-				server.setClientPublicKey(
-					loginSRPDetailFromDB.clientPublicKey
-				);
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+      b: loginSRPDetailFromDB.serverBInt
+    },
+    async () => {
+      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
-				// compare server and client shared keys
-				if (server.checkClientProof(clientProof)) {
-					// create new or replace backup private key
+      // compare server and client shared keys
+      if (server.checkClientProof(clientProof)) {
+        // create new or replace backup private key
 
-					const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
-						{ user: req.user._id },
-						{
-							user: req.user._id,
-							encryptedPrivateKey,
-							iv,
-							tag,
-							salt,
-							verifier
-						},
-						{ upsert: true, new: true }
-					).select('+user, encryptedPrivateKey');
+        const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
+          { user: req.user._id },
+          {
+            user: req.user._id,
+            encryptedPrivateKey,
+            iv,
+            tag,
+            salt,
+            verifier
+          },
+          { upsert: true, new: true }
+        ).select("+user, encryptedPrivateKey");
 
-					// issue tokens
-					return res.status(200).send({
-						message: 'Successfully updated backup private key',
-						backupPrivateKey
-					});
-				}
+        // issue tokens
+        return res.status(200).send({
+          message: "Successfully updated backup private key",
+          backupPrivateKey
+        });
+      }
 
-				return res.status(400).send({
-					message: 'Failed to update backup private key'
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update backup private key'
-		});
-	}
+      return res.status(400).send({
+        message: "Failed to update backup private key"
+      });
+    }
+  );
 };
 
 /**
  * Return backup private key for user
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getBackupPrivateKey = async (req: Request, res: Response) => {
-	let backupPrivateKey;
-	try {
-		backupPrivateKey = await BackupPrivateKey.findOne({
-			user: req.user._id
-		}).select('+encryptedPrivateKey +iv +tag');
+  const backupPrivateKey = await BackupPrivateKey.findOne({
+    user: req.user._id
+  }).select("+encryptedPrivateKey +iv +tag");
 
-		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get backup private key'
-		});
-	}
+  if (!backupPrivateKey) throw new Error("Failed to find backup private key");
 
-	return res.status(200).send({
-		backupPrivateKey
-	});
-}
+  return res.status(200).send({
+    backupPrivateKey
+  });
+};
 
 export const resetPassword = async (req: Request, res: Response) => {
-	try {
-		const {
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier,
-		} = req.body;
+  const {
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier
+  } = req.body;
 
-		await User.findByIdAndUpdate(
-			req.user._id.toString(),
-			{
-				encryptionVersion: 2,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,	
-				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
-				salt,
-				verifier
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get backup private key'
-		});
-	}
+  await User.findByIdAndUpdate(
+    req.user._id.toString(),
+    {
+      encryptionVersion: 2,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      encryptedPrivateKey,
+      iv: encryptedPrivateKeyIV,
+      tag: encryptedPrivateKeyTag,
+      salt,
+      verifier
+    },
+    {
+      new: true
+    }
+  );
 
-	return res.status(200).send({
-		message: 'Successfully reset password'
-	});
-}
+  return res.status(200).send({
+    message: "Successfully reset password"
+  });
+};

backend/src/controllers/v1/secretController.ts

@@ -1,31 +1,30 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { Key, Secret } from '../../models';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Key } from "../../models";
 import {
-	v1PushSecrets as push,
-	pullSecrets as pull,
-	reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { eventPushSecrets } from '../../events';
-import { EventService } from '../../services';
-import { TelemetryService } from '../../services';
+  pullSecrets as pull,
+  v1PushSecrets as push,
+  reformatPullSecrets
+} from "../../helpers/secret";
+import { pushKeys } from "../../helpers/key";
+import { eventPushSecrets } from "../../events";
+import { EventService } from "../../services";
+import { TelemetryService } from "../../services";
 
 interface PushSecret {
-	ciphertextKey: string;
-	ivKey: string;
-	tagKey: string;
-	hashKey: string;
-	ciphertextValue: string;
-	ivValue: string;
-	tagValue: string;
-	hashValue: string;
-	ciphertextComment: string;
-	ivComment: string;
-	tagComment: string;
-	hashComment: string;
-	type: 'shared' | 'personal';
+  ciphertextKey: string;
+  ivKey: string;
+  tagKey: string;
+  hashKey: string;
+  ciphertextValue: string;
+  ivValue: string;
+  tagValue: string;
+  hashValue: string;
+  ciphertextComment: string;
+  ivComment: string;
+  tagComment: string;
+  hashComment: string;
+  type: "shared" | "personal";
 }
 
 /**
@@ -36,71 +35,58 @@ interface PushSecret {
  * @returns
  */
 export const pushSecrets = async (req: Request, res: Response) => {
-	// upload (encrypted) secrets to workspace with id [workspaceId]
+  // upload (encrypted) secrets to workspace with id [workspaceId]
+  const postHogClient = await TelemetryService.getPostHogClient();
+  let { secrets }: { secrets: PushSecret[] } = req.body;
+  const { keys, environment, channel } = req.body;
+  const { workspaceId } = req.params;
 
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		let { secrets }: { secrets: PushSecret[] } = req.body;
-		const { keys, environment, channel } = req.body;
-		const { workspaceId } = req.params;
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }
 
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+  // sanitize secrets
+  secrets = secrets.filter((s: PushSecret) => s.ciphertextKey !== "" && s.ciphertextValue !== "");
 
-		// sanitize secrets
-		secrets = secrets.filter(
-			(s: PushSecret) => s.ciphertextKey !== '' && s.ciphertextValue !== ''
-		);
+  await push({
+    userId: req.user._id,
+    workspaceId,
+    environment,
+    secrets
+  });
 
-		await push({
-			userId: req.user._id,
-			workspaceId,
-			environment,
-			secrets
-		});
+  await pushKeys({
+    userId: req.user._id,
+    workspaceId,
+    keys
+  });
 
-		await pushKeys({
-			userId: req.user._id,
-			workspaceId,
-			keys
-		});
-		
-		
-		if (postHogClient) {
-			postHogClient.capture({
-				event: 'secrets pushed',
-				distinctId: req.user.email,
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
+  if (postHogClient) {
+    postHogClient.capture({
+      event: "secrets pushed",
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli"
+      }
+    });
+  }
 
-		// trigger event - push secrets
-		EventService.handleEvent({
-			event: eventPushSecrets({
-				workspaceId: new Types.ObjectId(workspaceId),
-				environment
-			})
-		});
+  // trigger event - push secrets
+  EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment
+    })
+  });
 
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload workspace secrets'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully uploaded workspace secrets'
-	});
+  return res.status(200).send({
+    message: "Successfully uploaded workspace secrets"
+  });
 };
 
 /**
@@ -111,64 +97,56 @@ export const pushSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const pullSecrets = async (req: Request, res: Response) => {
-	let secrets;
-	let key;
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		const environment: string = req.query.environment as string;
-		const channel: string = req.query.channel as string;
-		const { workspaceId } = req.params;
+  let secrets;
 
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const environment: string = req.query.environment as string;
+  const channel: string = req.query.channel as string;
+  const { workspaceId } = req.params;
 
-		secrets = await pull({
-			userId: req.user._id.toString(),
-			workspaceId,
-			environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }
 
-		key = await Key.findOne({
-			workspace: workspaceId,
-			receiver: req.user._id
-		})
-			.sort({ createdAt: -1 })
-			.populate('sender', '+publicKey');
-		
-		if (channel !== 'cli') {
-			secrets = reformatPullSecrets({ secrets });
-		}
+  secrets = await pull({
+    userId: req.user._id.toString(),
+    workspaceId,
+    environment,
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP
+  });
 
-		if (postHogClient) {
-			// capture secrets pushed event in production
-			postHogClient.capture({
-				distinctId: req.user.email,
-				event: 'secrets pulled',
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
+  const key = await Key.findOne({
+    workspace: workspaceId,
+    receiver: req.user._id
+  })
+    .sort({ createdAt: -1 })
+    .populate("sender", "+publicKey");
 
-	return res.status(200).send({
-		secrets,
-		key
-	});
+  if (channel !== "cli") {
+    secrets = reformatPullSecrets({ secrets });
+  }
+
+  if (postHogClient) {
+    // capture secrets pushed event in production
+    postHogClient.capture({
+      distinctId: req.user.email,
+      event: "secrets pulled",
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli"
+      }
+    });
+  }
+
+  return res.status(200).send({
+    secrets,
+    key
+  });
 };
 
 /**
@@ -180,61 +158,51 @@ export const pullSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
-	let secrets;
-	let key;
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		const environment: string = req.query.environment as string;
-		const channel: string = req.query.channel as string;
-		const { workspaceId } = req.params;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const environment: string = req.query.environment as string;
+  const channel: string = req.query.channel as string;
+  const { workspaceId } = req.params;
 
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }
 
-		secrets = await pull({
-			userId: req.serviceToken.user._id.toString(),
-			workspaceId,
-			environment,
-			channel: 'cli',
-			ipAddress: req.ip
-		});
+  const secrets = await pull({
+    userId: req.serviceToken.user._id.toString(),
+    workspaceId,
+    environment,
+    channel: "cli",
+    ipAddress: req.realIP
+  });
 
-		key = {
-			encryptedKey: req.serviceToken.encryptedKey,
-			nonce: req.serviceToken.nonce,
-			sender: {
-				publicKey: req.serviceToken.publicKey
-			},
-			receiver: req.serviceToken.user,
-			workspace: req.serviceToken.workspace
-		};
+  const key = {
+    encryptedKey: req.serviceToken.encryptedKey,
+    nonce: req.serviceToken.nonce,
+    sender: {
+      publicKey: req.serviceToken.publicKey
+    },
+    receiver: req.serviceToken.user,
+    workspace: req.serviceToken.workspace
+  };
 
-		if (postHogClient) {
-			// capture secrets pulled event in production
-			postHogClient.capture({
-				distinctId: req.serviceToken.user.email,
-				event: 'secrets pulled',
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.serviceToken.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
+  if (postHogClient) {
+    // capture secrets pulled event in production
+    postHogClient.capture({
+      distinctId: req.serviceToken.user.email,
+      event: "secrets pulled",
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli"
+      }
+    });
+  }
 
-	return res.status(200).send({
-		secrets: reformatPullSecrets({ secrets }),
-		key
-	});
-};
+  return res.status(200).send({
+    secrets: reformatPullSecrets({ secrets }),
+    key
+  });
+};

backend/src/controllers/v1/secretsFolderController.ts

@@ -5,12 +5,13 @@ import { BadRequestError } from "../../utils/errors";
 import {
   appendFolder,
   deleteFolderById,
-  getAllFolderIds,
-  searchByFolderIdWithDir,
-  searchByFolderId,
-  validateFolderName,
   generateFolderId,
+  getAllFolderIds,
+  getFolderByPath,
   getParentFromFolderId,
+  searchByFolderId,
+  searchByFolderIdWithDir,
+  validateFolderName,
 } from "../../services/FolderService";
 import { ADMIN, MEMBER } from "../../variables";
 import { validateMembership } from "../../helpers/membership";
@@ -177,11 +178,13 @@ export const deleteFolder = async (req: Request, res: Response) => {
 
 // TODO: validate workspace
 export const getFolders = async (req: Request, res: Response) => {
-  const { workspaceId, environment, parentFolderId } = req.query as {
-    workspaceId: string;
-    environment: string;
-    parentFolderId?: string;
-  };
+  const { workspaceId, environment, parentFolderId, parentFolderPath } =
+    req.query as {
+      workspaceId: string;
+      environment: string;
+      parentFolderId?: string;
+      parentFolderPath?: string;
+    };
 
   const folders = await Folder.findOne({ workspace: workspaceId, environment });
   if (!folders) {
@@ -196,6 +199,20 @@ export const getFolders = async (req: Request, res: Response) => {
     acceptedRoles: [ADMIN, MEMBER],
   });
 
+  // if instead of parentFolderId given a path like /folder1/folder2
+  if (parentFolderPath) {
+    const folder = getFolderByPath(folders.nodes, parentFolderPath);
+    if (!folder) {
+      res.send({ folders: [], dir: [] });
+      return;
+    }
+    // dir is not needed at present as this is only used in overview section of secrets
+    res.send({
+      folders: folder.children.map(({ id, name }) => ({ id, name })),
+      dir: [{ name: folder.name, id: folder.id }],
+    });
+  }
+
   if (!parentFolderId) {
     const rootFolders = folders.nodes.children.map(({ id, name }) => ({
       id,

backend/src/controllers/v1/serviceTokenController.ts

@@ -1,7 +1,7 @@
-import { Request, Response } from 'express';
-import { ServiceToken } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { getJwtServiceSecret } from '../../config';
+import { Request, Response } from "express";
+import { ServiceToken } from "../../models";
+import { createToken } from "../../helpers/auth";
+import { getJwtServiceSecret } from "../../config";
 
 /**
  * Return service token on request
@@ -11,7 +11,7 @@ import { getJwtServiceSecret } from '../../config';
  */
 export const getServiceToken = async (req: Request, res: Response) => {
 	return res.status(200).send({
-		serviceToken: req.serviceToken
+		serviceToken: req.serviceToken,
 	});
 };
 
@@ -31,13 +31,13 @@ export const createServiceToken = async (req: Request, res: Response) => {
 			expiresIn,
 			publicKey,
 			encryptedKey,
-			nonce
+			nonce,
 		} = req.body;
 
 		// validate environment
 		const workspaceEnvs = req.membership.workspace.environments;
 		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
+			throw new Error("Failed to validate environment");
 		}
 
 		// compute access token expiration date
@@ -52,24 +52,24 @@ export const createServiceToken = async (req: Request, res: Response) => {
 			expiresAt,
 			publicKey,
 			encryptedKey,
-			nonce
+			nonce,
 		}).save();
 
 		token = createToken({
 			payload: {
 				serviceTokenId: serviceToken._id.toString(),
-				workspaceId
+				workspaceId,
 			},
 			expiresIn: expiresIn,
-			secret: await getJwtServiceSecret()
+			secret: await getJwtServiceSecret(),
 		});
 	} catch (err) {
 		return res.status(400).send({
-			message: 'Failed to create service token'
+			message: "Failed to create service token",
 		});
 	}
 
 	return res.status(200).send({
-		token
+		token,
 	});
 };

backend/src/controllers/v1/signupController.ts

@@ -1,13 +1,15 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User } from '../../models';
+import { Request, Response } from "express";
+import { User } from "../../models";
+import { checkEmailVerification, sendEmailVerification } from "../../helpers/signup";
+import { createToken } from "../../helpers/auth";
+import { BadRequestError } from "../../utils/errors";
 import {
-	sendEmailVerification,
-	checkEmailVerification,
-} from '../../helpers/signup';
-import { createToken } from '../../helpers/auth';
-import { BadRequestError } from '../../utils/errors';
-import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+  getInviteOnlySignup,
+  getJwtSignupLifetime,
+  getJwtSignupSecret,
+  getSmtpConfigured
+} from "../../config";
+import { validateUserEmail } from "../../validation";
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -17,32 +19,26 @@ import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpC
  * @returns
  */
 export const beginEmailSignup = async (req: Request, res: Response) => {
-	let email: string;
-	try {
-		email = req.body.email;
+  const email: string = req.body.email;
 
-		const user = await User.findOne({ email }).select('+publicKey');
-		if (user && user?.publicKey) {
-			// case: user has already completed account
+  // validate that email is not disposable
+  validateUserEmail(email);
 
-			return res.status(403).send({
-				error: 'Failed to send email verification code for complete account'
-			});
-		}
+  const user = await User.findOne({ email }).select("+publicKey");
+  if (user && user?.publicKey) {
+    // case: user has already completed account
 
-		// send send verification email
-		await sendEmailVerification({ email });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to send email verification code'
-		});
-	}
-	
-	return res.status(200).send({
-		message: `Sent an email verification code to ${email}`
-	});
+    return res.status(403).send({
+      error: "Failed to send email verification code for complete account"
+    });
+  }
+
+  // send send verification email
+  await sendEmailVerification({ email });
+
+  return res.status(200).send({
+    message: `Sent an email verification code to ${email}`
+  });
 };
 
 /**
@@ -53,60 +49,54 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
  * @returns
  */
 export const verifyEmailSignup = async (req: Request, res: Response) => {
-	let user, token;
-	try {
-		const { email, code } = req.body;
+  let user;
+  const { email, code } = req.body;
 
-		// initialize user account
-		user = await User.findOne({ email }).select('+publicKey');
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			return res.status(403).send({
-				error: 'Failed email verification for complete user'
-			});
-		}
+  // initialize user account
+  user = await User.findOne({ email }).select("+publicKey");
+  if (user && user?.publicKey) {
+    // case: user has already completed account
+    return res.status(403).send({
+      error: "Failed email verification for complete user"
+    });
+  }
 
-		if (await getInviteOnlySignup()) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
+  if (await getInviteOnlySignup()) {
+    // Only one user can create an account without being invited. The rest need to be invited in order to make an account
+    const userCount = await User.countDocuments({});
+    if (userCount != 0) {
+      throw BadRequestError({
+        message: "New user sign ups are not allowed at this time. You must be invited to sign up."
+      });
+    }
+  }
 
-		// verify email
-		if (await getSmtpConfigured()) {
-			await checkEmailVerification({
-				email,
-				code
-			});
-		}
+  // verify email
+  if (await getSmtpConfigured()) {
+    await checkEmailVerification({
+      email,
+      code
+    });
+  }
 
-		if (!user) {
-			user = await new User({
-				email
-			}).save();
-		}
+  if (!user) {
+    user = await new User({
+      email
+    }).save();
+  }
 
-		// generate temporary signup token
-		token = createToken({
-			payload: {
-				userId: user._id.toString()
-			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed email verification'
-		});
-	}
+  // generate temporary signup token
+  const token = createToken({
+    payload: {
+      userId: user._id.toString()
+    },
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
+  });
 
-	return res.status(200).send({
-		message: 'Successfuly verified email',
-		user,
-		token
-	});
+  return res.status(200).send({
+    message: "Successfuly verified email",
+    user,
+    token
+  });
 };

backend/src/controllers/v1/stripeController.ts

@@ -1,41 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
-
-/**
- * Handle service provisioning/un-provisioning via Stripe
- * @param req
- * @param res
- * @returns
- */
-export const handleWebhook = async (req: Request, res: Response) => {
-	let event;
-	try {
-		// check request for valid stripe signature
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
-		const sig = req.headers['stripe-signature'] as string;
-		event = stripe.webhooks.constructEvent(
-			req.body,
-			sig,
-			await getStripeWebhookSecret()
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to process webhook'
-		});
-	}
-
-	switch (event.type) {
-		case '':
-			break;
-		default:
-	}
-
-	return res.json({ received: true });
-};

backend/src/controllers/v1/userActionController.ts

@@ -1,6 +1,5 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { UserAction } from '../../models';
+import { Request, Response } from "express";
+import { UserAction } from "../../models";
 
 /**
  * Add user action [action]
@@ -11,32 +10,23 @@ import { UserAction } from '../../models';
 export const addUserAction = async (req: Request, res: Response) => {
 	// add/record new action [action] for user with id [req.user._id]
 
-	let userAction;
-	try {
-		const { action } = req.body;
+  const { action } = req.body;
 
-		userAction = await UserAction.findOneAndUpdate(
-			{
-				user: req.user._id,
-				action
-			},
-			{ user: req.user._id, action },
-			{
-				new: true,
-				upsert: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to record user action'
-		});
-	}
+  const userAction = await UserAction.findOneAndUpdate(
+    {
+      user: req.user._id,
+      action,
+    },
+    { user: req.user._id, action },
+    {
+      new: true,
+      upsert: true,
+    }
+  );
 
 	return res.status(200).send({
-		message: 'Successfully recorded user action',
-		userAction
+		message: "Successfully recorded user action",
+		userAction,
 	});
 };
 
@@ -48,23 +38,14 @@ export const addUserAction = async (req: Request, res: Response) => {
  */
 export const getUserAction = async (req: Request, res: Response) => {
 	// get user action [action] for user with id [req.user._id]
-	let userAction;
-	try {
-		const action: string = req.query.action as string;
+  const action: string = req.query.action as string;
 
-		userAction = await UserAction.findOne({
-			user: req.user._id,
-			action
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get user action'
-		});
-	}
+  const userAction = await UserAction.findOne({
+    user: req.user._id,
+    action,
+  });
 
 	return res.status(200).send({
-		userAction
+		userAction,
 	});
 };

backend/src/controllers/v1/userController.ts

@@ -1,4 +1,4 @@
-import { Request, Response } from 'express';
+import { Request, Response } from "express";
 
 /**
  * Return user on request
@@ -8,6 +8,6 @@ import { Request, Response } from 'express';
  */
 export const getUser = async (req: Request, res: Response) => {
 	return res.status(200).send({
-		user: req.user
+		user: req.user,
 	});
 };

backend/src/controllers/v1/workspaceController.ts

@@ -1,19 +1,18 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import {
-  Workspace,
-  Membership,
-  MembershipOrg,
+  IUser,
   Integration,
   IntegrationAuth,
-  IUser,
+  Membership,
+  MembershipOrg,
   ServiceToken,
-  ServiceTokenData,
+  Workspace,
 } from "../../models";
 import {
   createWorkspace as create,
   deleteWorkspace as deleteWork,
 } from "../../helpers/workspace";
+import { EELicenseService } from "../../ee/services";
 import { addMemberships } from "../../helpers/membership";
 import { ADMIN } from "../../variables";
 
@@ -24,27 +23,18 @@ import { ADMIN } from "../../variables";
  * @returns
  */
 export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-  let publicKeys;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    publicKeys = (
-      await Membership.find({
-        workspace: workspaceId,
-      }).populate<{ user: IUser }>("user", "publicKey")
-    ).map((member) => {
-      return {
-        publicKey: member.user.publicKey,
-        userId: member.user._id,
-      };
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace member public keys",
-    });
-  }
+  const publicKeys = (
+    await Membership.find({
+      workspace: workspaceId,
+    }).populate<{ user: IUser }>("user", "publicKey")
+  ).map((member) => {
+    return {
+      publicKey: member.user.publicKey,
+      userId: member.user._id,
+    };
+  });
 
   return res.status(200).send({
     publicKeys,
@@ -58,20 +48,11 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-  let users;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    users = await Membership.find({
-      workspace: workspaceId,
-    }).populate("user", "+publicKey");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace members",
-    });
-  }
+  const users = await Membership.find({
+    workspace: workspaceId,
+  }).populate("user", "+publicKey");
 
   return res.status(200).send({
     users,
@@ -85,20 +66,11 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaces = async (req: Request, res: Response) => {
-  let workspaces;
-  try {
-    workspaces = (
-      await Membership.find({
-        user: req.user._id,
-      }).populate("workspace")
-    ).map((m) => m.workspace);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspaces",
-    });
-  }
+  const workspaces = (
+    await Membership.find({
+      user: req.user._id,
+    }).populate("workspace")
+  ).map((m) => m.workspace);
 
   return res.status(200).send({
     workspaces,
@@ -112,20 +84,11 @@ export const getWorkspaces = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    workspace = await Workspace.findOne({
-      _id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace",
-    });
-  }
+  const workspace = await Workspace.findOne({
+    _id: workspaceId,
+  });
 
   return res.status(200).send({
     workspace,
@@ -140,43 +103,46 @@ export const getWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const createWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceName, organizationId } = req.body;
+  const { workspaceName, organizationId } = req.body;
 
-    // validate organization membership
-    const membershipOrg = await MembershipOrg.findOne({
-      user: req.user._id,
-      organization: organizationId,
-    });
+  // validate organization membership
+  const membershipOrg = await MembershipOrg.findOne({
+    user: req.user._id,
+    organization: organizationId,
+  });
 
-    if (!membershipOrg) {
-      throw new Error("Failed to validate organization membership");
-    }
-
-    if (workspaceName.length < 1) {
-      throw new Error("Workspace names must be at least 1-character long");
-    }
-
-    // create workspace and add user as member
-    workspace = await create({
-      name: workspaceName,
-      organizationId,
-    });
-
-    await addMemberships({
-      userIds: [req.user._id],
-      workspaceId: workspace._id.toString(),
-      roles: [ADMIN],
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to create workspace",
-    });
+  if (!membershipOrg) {
+    throw new Error("Failed to validate organization membership");
   }
 
+  const plan = await EELicenseService.getPlan(organizationId);
+  
+  if (plan.workspaceLimit !== null) {
+    // case: limit imposed on number of workspaces allowed
+    if (plan.workspacesUsed >= plan.workspaceLimit) {
+      // case: number of workspaces used exceeds the number of workspaces allowed
+      return res.status(400).send({
+        message: "Failed to create workspace due to plan limit reached. Upgrade plan to add more workspaces.",
+      });
+    }
+  }
+
+  if (workspaceName.length < 1) {
+    throw new Error("Workspace names must be at least 1-character long");
+  }
+
+  // create workspace and add user as member
+  const workspace = await create({
+    name: workspaceName,
+    organizationId,
+  });
+
+  await addMemberships({
+    userIds: [req.user._id],
+    workspaceId: workspace._id.toString(),
+    roles: [ADMIN],
+  });
+
   return res.status(200).send({
     workspace,
   });
@@ -189,20 +155,12 @@ export const createWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteWorkspace = async (req: Request, res: Response) => {
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    // delete workspace
-    await deleteWork({
-      id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete workspace",
-    });
-  }
+  // delete workspace
+  await deleteWork({
+    id: workspaceId,
+  });
 
   return res.status(200).send({
     message: "Successfully deleted workspace",
@@ -216,29 +174,20 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeWorkspaceName = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
-    const { name } = req.body;
+  const { workspaceId } = req.params;
+  const { name } = req.body;
 
-    workspace = await Workspace.findOneAndUpdate(
-      {
-        _id: workspaceId,
-      },
-      {
-        name,
-      },
-      {
-        new: true,
-      }
-    );
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to change workspace name",
-    });
-  }
+  const workspace = await Workspace.findOneAndUpdate(
+    {
+      _id: workspaceId,
+    },
+    {
+      name,
+    },
+    {
+      new: true,
+    }
+  );
 
   return res.status(200).send({
     message: "Successfully changed workspace name",
@@ -253,20 +202,11 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-  let integrations;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    integrations = await Integration.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integrations",
-    });
-  }
+  const integrations = await Integration.find({
+    workspace: workspaceId,
+  });
 
   return res.status(200).send({
     integrations,
@@ -283,20 +223,11 @@ export const getWorkspaceIntegrationAuthorizations = async (
   req: Request,
   res: Response
 ) => {
-  let authorizations;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    authorizations = await IntegrationAuth.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integration authorizations",
-    });
-  }
+  const authorizations = await IntegrationAuth.find({
+    workspace: workspaceId,
+  });
 
   return res.status(200).send({
     authorizations,
@@ -313,21 +244,12 @@ export const getWorkspaceServiceTokens = async (
   req: Request,
   res: Response
 ) => {
-  let serviceTokens;
-  try {
-    const { workspaceId } = req.params;
-    // ?? FIX.
-    serviceTokens = await ServiceToken.find({
-      user: req.user._id,
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace service tokens",
-    });
-  }
+  const { workspaceId } = req.params;
+  // ?? FIX.
+  const serviceTokens = await ServiceToken.find({
+    user: req.user._id,
+    workspace: workspaceId,
+  });
 
   return res.status(200).send({
     serviceTokens,

backend/src/controllers/v2/apiKeyDataController.ts

@@ -1,104 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    APIKeyData
-} from '../../models';
-import { getSaltRounds } from '../../config';
-
-/**
- * Return API key data for user with id [req.user_id]
- * @param req
- * @param res 
- * @returns 
- */
-export const getAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        apiKeyData = await APIKeyData.find({
-            user: req.user._id
-        });
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to get API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}
-
-/**
- * Create new API key data for user with id [req.user._id]
- * @param req 
- * @param res 
- */
-export const createAPIKeyData = async (req: Request, res: Response) => {
-    let apiKey, apiKeyData;
-    try {
-        const { name, expiresIn } = req.body;
-        
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-        
-		const expiresAt = new Date();
-		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-        
-        apiKeyData = await new APIKeyData({
-            name,
-            lastUsed: new Date(),
-            expiresAt,
-            user: req.user._id,
-            secretHash
-        }).save();
-        
-        // return api key data without sensitive data
-        apiKeyData = await APIKeyData.findById(apiKeyData._id);
-        
-        if (!apiKeyData) throw new Error('Failed to find API key data');
-        
-        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
-            
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKey,
-        apiKeyData
-    });
-}
-
-/**
- * Delete API key data with id [apiKeyDataId].
- * @param req 
- * @param res 
- * @returns 
- */
-export const deleteAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        const { apiKeyDataId } = req.params;
-
-        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
-        
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete API key data'
-        });
-    }
-    
-    return res.status(200).send({
-        apiKeyData
-    });
-}

backend/src/controllers/v2/authController.ts

@@ -1,28 +1,27 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { issueAuthTokens, createToken } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELogService } from '../../ee/services';
-import { BadRequestError, InternalServerError } from '../../utils/errors';
+import { Request, Response } from "express";
+import jwt from "jsonwebtoken";
+import * as bigintConversion from "bigint-conversion";
+const jsrp = require("jsrp");
+import { LoginSRPDetail, User } from "../../models";
+import { createToken, issueAuthTokens } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELogService } from "../../ee/services";
+import { BadRequestError, InternalServerError } from "../../utils/errors";
 import {
+  ACTION_LOGIN,
   TOKEN_EMAIL_MFA,
-  ACTION_LOGIN
-} from '../../variables';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+} from "../../variables";
+import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
 import {
+  getHttpsEnabled,
   getJwtMfaLifetime,
   getJwtMfaSecret,
-  getHttpsEnabled
-} from '../../config';
+} from "../../config";
 
-declare module 'jsonwebtoken' {
+declare module "jsonwebtoken" {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
     userId: string;
   }
@@ -35,47 +34,40 @@ declare module 'jsonwebtoken' {
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-  try {
-    const {
-      email,
-      clientPublicKey
-    }: { email: string; clientPublicKey: string } = req.body;
+  const {
+    email,
+    clientPublicKey,
+  }: { email: string; clientPublicKey: string } = req.body;
 
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
+  const user = await User.findOne({
+    email,
+  }).select("+salt +verifier");
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
-    const server = new jsrp.server();
-    server.init(
-      {
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+    },
+    async () => {
+      // generate server-side public key
+      const serverPublicKey = server.getPublicKey();
+
+      await LoginSRPDetail.findOneAndReplace({ email: email }, {
+        email: email,
+        clientPublicKey: clientPublicKey,
+        serverBInt: bigintConversion.bigintToBuf(server.bInt),
+      }, { upsert: true, returnNewDocument: false });
+
+      return res.status(200).send({
+        serverPublicKey,
         salt: user.salt,
-        verifier: user.verifier
-      },
-      async () => {
-        // generate server-side public key
-        const serverPublicKey = server.getPublicKey();
-
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false });
-
-        return res.status(200).send({
-          serverPublicKey,
-          salt: user.salt
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
+      });
+    }
+  );
+  
 };
 
 /**
@@ -86,149 +78,143 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-  try {
+  if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });
 
-    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+  const { email, clientProof } = req.body;
+  const user = await User.findOne({
+    email,
+  }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
 
-    const { email, clientProof } = req.body;
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+  if (!user) throw new Error("Failed to find user");
 
-    if (!user) throw new Error('Failed to find user');
+  const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
 
-    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+  if (!loginSRPDetail) {
+    return BadRequestError(Error("Failed to find login details for SRP"))
+  }
 
-    if (!loginSRPDetail) {
-      return BadRequestError(Error("Failed to find login details for SRP"))
-    }
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+      b: loginSRPDetail.serverBInt,
+    },
+    async () => {
+      server.setClientPublicKey(loginSRPDetail.clientPublicKey);
 
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier,
-        b: loginSRPDetail.serverBInt
-      },
-      async () => {
-        server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+      // compare server and client shared keys
+      if (server.checkClientProof(clientProof)) {
+        if (user.isMfaEnabled) {
+          // case: user has MFA enabled
 
-        // compare server and client shared keys
-        if (server.checkClientProof(clientProof)) {
-
-          if (user.isMfaEnabled) {
-            // case: user has MFA enabled
-
-            // generate temporary MFA token
-            const token = createToken({
-              payload: {
-                userId: user._id.toString()
-              },
-              expiresIn: await getJwtMfaLifetime(),
-              secret: await getJwtMfaSecret()
-            });
-
-            const code = await TokenService.createToken({
-              type: TOKEN_EMAIL_MFA,
-              email
-            });
-
-            // send MFA code [code] to [email]
-            await sendMail({
-              template: 'emailMfa.handlebars',
-              subjectLine: 'Infisical MFA code',
-              recipients: [email],
-              substitutions: {
-                code
-              }
-            });
-
-            return res.status(200).send({
-              mfaEnabled: true,
-              token
-            });
-          }
-
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
+          // generate temporary MFA token
+          const token = createToken({
+            payload: {
+              userId: user._id.toString(),
+            },
+            expiresIn: await getJwtMfaLifetime(),
+            secret: await getJwtMfaSecret(),
           });
 
-          // issue tokens
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: await getHttpsEnabled()
+          const code = await TokenService.createToken({
+            type: TOKEN_EMAIL_MFA,
+            email,
           });
 
-          // case: user does not have MFA enablgged
-          // return (access) token in response
-
-          interface ResponseData {
-            mfaEnabled: boolean;
-            encryptionVersion: any;
-            protectedKey?: string;
-            protectedKeyIV?: string;
-            protectedKeyTag?: string;
-            token: string;
-            publicKey?: string;
-            encryptedPrivateKey?: string;
-            iv?: string;
-            tag?: string;
-          }
-
-          const response: ResponseData = {
-            mfaEnabled: false,
-            encryptionVersion: user.encryptionVersion,
-            token: tokens.token,
-            publicKey: user.publicKey,
-            encryptedPrivateKey: user.encryptedPrivateKey,
-            iv: user.iv,
-            tag: user.tag
-          }
-
-          if (
-            user?.protectedKey &&
-            user?.protectedKeyIV &&
-            user?.protectedKeyTag
-          ) {
-            response.protectedKey = user.protectedKey;
-            response.protectedKeyIV = user.protectedKeyIV
-            response.protectedKeyTag = user.protectedKeyTag;
-          }
-
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
+          // send MFA code [code] to [email]
+          await sendMail({
+            template: "emailMfa.handlebars",
+            subjectLine: "Infisical MFA code",
+            recipients: [email],
+            substitutions: {
+              code,
+            },
           });
 
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
+          return res.status(200).send({
+            mfaEnabled: true,
+            token,
           });
-
-          return res.status(200).send(response);
         }
 
-        return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
+        await checkUserDevice({
+          user,
+          ip: req.realIP,
+          userAgent: req.headers["user-agent"] ?? "",
         });
+
+        // issue tokens
+        const tokens = await issueAuthTokens({ 
+          userId: user._id,
+          ip: req.realIP,
+          userAgent: req.headers["user-agent"] ?? "",
+        });
+
+        // store (refresh) token in httpOnly cookie
+        res.cookie("jid", tokens.refreshToken, {
+          httpOnly: true,
+          path: "/",
+          sameSite: "strict",
+          secure: await getHttpsEnabled(),
+        });
+
+        // case: user does not have MFA enabled
+        // return (access) token in response
+
+        interface ResponseData {
+          mfaEnabled: boolean;
+          encryptionVersion: any;
+          protectedKey?: string;
+          protectedKeyIV?: string;
+          protectedKeyTag?: string;
+          token: string;
+          publicKey?: string;
+          encryptedPrivateKey?: string;
+          iv?: string;
+          tag?: string;
+        }
+
+        const response: ResponseData = {
+          mfaEnabled: false,
+          encryptionVersion: user.encryptionVersion,
+          token: tokens.token,
+          publicKey: user.publicKey,
+          encryptedPrivateKey: user.encryptedPrivateKey,
+          iv: user.iv,
+          tag: user.tag,
+        }
+
+        if (
+          user?.protectedKey &&
+          user?.protectedKeyIV &&
+          user?.protectedKeyTag
+        ) {
+          response.protectedKey = user.protectedKey;
+          response.protectedKeyIV = user.protectedKeyIV
+          response.protectedKeyTag = user.protectedKeyTag;
+        }
+
+        const loginAction = await EELogService.createAction({
+          name: ACTION_LOGIN,
+          userId: user._id,
+        });
+
+        loginAction && await EELogService.createLog({
+          userId: user._id,
+          actions: [loginAction],
+          channel: getChannelFromUserAgent(req.headers["user-agent"]),
+          ipAddress: req.ip,
+        });
+
+        return res.status(200).send(response);
       }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
+
+      return res.status(400).send({
+        message: "Failed to authenticate. Try again?",
+      });
+    }
+  );
 };
 
 /**
@@ -237,33 +223,25 @@ export const login2 = async (req: Request, res: Response) => {
  * @param res 
  */
 export const sendMfaToken = async (req: Request, res: Response) => {
-  try {
-    const { email } = req.body;
+  const { email } = req.body;
 
-    const code = await TokenService.createToken({
-      type: TOKEN_EMAIL_MFA,
-      email
-    });
+  const code = await TokenService.createToken({
+    type: TOKEN_EMAIL_MFA,
+    email,
+  });
 
-    // send MFA code [code] to [email]
-    await sendMail({
-      template: 'emailMfa.handlebars',
-      subjectLine: 'Infisical MFA code',
-      recipients: [email],
-      substitutions: {
-        code
-      }
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to send MFA code'
-    });
-  }
+  // send MFA code [code] to [email]
+  await sendMail({
+    template: "emailMfa.handlebars",
+    subjectLine: "Infisical MFA code",
+    recipients: [email],
+    substitutions: {
+      code,
+    },
+  });
 
   return res.status(200).send({
-    message: 'Successfully sent new MFA code'
+    message: "Successfully sent new MFA code",
   });
 }
 
@@ -279,32 +257,36 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
   await TokenService.validateToken({
     type: TOKEN_EMAIL_MFA,
     email,
-    token: mfaToken
+    token: mfaToken,
   });
 
   const user = await User.findOne({
-    email
-  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+    email,
+  }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
 
-  if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error("Failed to find user");
 
   await LoginSRPDetail.deleteOne({ userId: user.id })
 
   await checkUserDevice({
     user,
-    ip: req.ip,
-    userAgent: req.headers['user-agent'] ?? ''
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? "",
   });
 
   // issue tokens
-  const tokens = await issueAuthTokens({ userId: user._id.toString() });
+  const tokens = await issueAuthTokens({ 
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? "",
+  });
 
   // store (refresh) token in httpOnly cookie
-  res.cookie('jid', tokens.refreshToken, {
+  res.cookie("jid", tokens.refreshToken, {
     httpOnly: true,
-    path: '/',
-    sameSite: 'strict',
-    secure: await getHttpsEnabled()
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
   });
 
   interface VerifyMfaTokenRes {
@@ -337,7 +319,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
     publicKey: user.publicKey as string,
     encryptedPrivateKey: user.encryptedPrivateKey as string,
     iv: user.iv as string,
-    tag: user.tag as string
+    tag: user.tag as string,
   }
 
   if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
@@ -348,14 +330,14 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
 
   const loginAction = await EELogService.createAction({
     name: ACTION_LOGIN,
-    userId: user._id
+    userId: user._id,
   });
 
   loginAction && await EELogService.createLog({
     userId: user._id,
     actions: [loginAction],
-    channel: getChannelFromUserAgent(req.headers['user-agent']),
-    ipAddress: req.ip
+    channel: getChannelFromUserAgent(req.headers["user-agent"]),
+    ipAddress: req.realIP,
   });
 
   return res.status(200).send(resObj);

backend/src/controllers/v2/environmentController.ts

@@ -1,17 +1,17 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
 import {
+  Integration,
+  Membership,
   Secret,
   ServiceToken,
-  Workspace,
-  Integration,
   ServiceTokenData,
-  Membership,
-} from '../../models';
-import { SecretVersion } from '../../ee/models';
-import { BadRequestError } from '../../utils/errors';
-import _ from 'lodash';
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
+  Workspace,
+} from "../../models";
+import { SecretVersion } from "../../ee/models";
+import { EELicenseService } from "../../ee/services";
+import { BadRequestError, WorkspaceNotFoundError } from "../../utils/errors";
+import _ from "lodash";
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
 
 /**
  * Create new workspace environment named [environmentName] under workspace with id
@@ -23,34 +23,45 @@ export const createWorkspaceEnvironment = async (
   req: Request,
   res: Response
 ) => {
+
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug } = req.body;
-  try {
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (
-      !workspace ||
-      workspace?.environments.find(
-        ({ name, slug }) => slug === environmentSlug || environmentName === name
-      )
-    ) {
-      throw new Error('Failed to create workspace environment');
+  const workspace = await Workspace.findById(workspaceId).exec();
+  
+  if (!workspace) throw WorkspaceNotFoundError();
+  
+  const plan = await EELicenseService.getPlan(workspace.organization.toString());
+  
+  if (plan.environmentLimit !== null) {
+    // case: limit imposed on number of environments allowed
+    if (workspace.environments.length >= plan.environmentLimit) {
+      // case: number of environments used exceeds the number of environments allowed
+      
+      return res.status(400).send({
+        message: "Failed to create environment due to environment limit reached. Upgrade plan to create more environments.",
+      });
     }
-
-    workspace?.environments.push({
-      name: environmentName,
-      slug: environmentSlug.toLowerCase(),
-    });
-    await workspace.save();
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to create new workspace environment',
-    });
   }
 
+  if (
+    !workspace ||
+    workspace?.environments.find(
+      ({ name, slug }) => slug === environmentSlug || environmentName === name
+    )
+  ) {
+    throw new Error("Failed to create workspace environment");
+  }
+
+  workspace?.environments.push({
+    name: environmentName,
+    slug: environmentSlug.toLowerCase(),
+  });
+  await workspace.save();
+
+  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
+
   return res.status(200).send({
-    message: 'Successfully created new environment',
+    message: "Successfully created new environment",
     workspace: workspaceId,
     environment: {
       name: environmentName,
@@ -72,77 +83,69 @@ export const renameWorkspaceEnvironment = async (
 ) => {
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
-  try {
-    // user should pass both new slug and env name
-    if (!environmentSlug || !environmentName) {
-      throw new Error('Invalid environment given.');
-    }
-
-    // atomic update the env to avoid conflict
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (!workspace) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    const isEnvExist = workspace.environments.some(
-      ({ name, slug }) =>
-        slug !== oldEnvironmentSlug &&
-        (name === environmentName || slug === environmentSlug)
-    );
-    if (isEnvExist) {
-      throw new Error('Invalid environment given');
-    }
-
-    const envIndex = workspace?.environments.findIndex(
-      ({ slug }) => slug === oldEnvironmentSlug
-    );
-    if (envIndex === -1) {
-      throw new Error('Invalid environment given');
-    }
-
-    workspace.environments[envIndex].name = environmentName;
-    workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
-
-    await workspace.save();
-    await Secret.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await SecretVersion.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await ServiceToken.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await ServiceTokenData.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await Integration.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await Membership.updateMany(
-      {
-        workspace: workspaceId,
-        "deniedPermissions.environmentSlug": oldEnvironmentSlug
-      },
-      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
-      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
-    )
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to update workspace environment',
-    });
+  // user should pass both new slug and env name
+  if (!environmentSlug || !environmentName) {
+    throw new Error("Invalid environment given.");
   }
 
+  // atomic update the env to avoid conflict
+  const workspace = await Workspace.findById(workspaceId).exec();
+  if (!workspace) {
+    throw new Error("Failed to create workspace environment");
+  }
+
+  const isEnvExist = workspace.environments.some(
+    ({ name, slug }) =>
+      slug !== oldEnvironmentSlug &&
+      (name === environmentName || slug === environmentSlug)
+  );
+  if (isEnvExist) {
+    throw new Error("Invalid environment given");
+  }
+
+  const envIndex = workspace?.environments.findIndex(
+    ({ slug }) => slug === oldEnvironmentSlug
+  );
+  if (envIndex === -1) {
+    throw new Error("Invalid environment given");
+  }
+
+  workspace.environments[envIndex].name = environmentName;
+  workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
+
+  await workspace.save();
+  await Secret.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await SecretVersion.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await ServiceToken.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await ServiceTokenData.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await Integration.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await Membership.updateMany(
+    {
+      workspace: workspaceId,
+      "deniedPermissions.environmentSlug": oldEnvironmentSlug,
+    },
+    { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
+    { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
+  )
+
+
   return res.status(200).send({
-    message: 'Successfully update environment',
+    message: "Successfully update environment",
     workspace: workspaceId,
     environment: {
       name: environmentName,
@@ -163,59 +166,52 @@ export const deleteWorkspaceEnvironment = async (
 ) => {
   const { workspaceId } = req.params;
   const { environmentSlug } = req.body;
-  try {
-    // atomic update the env to avoid conflict
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (!workspace) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    const envIndex = workspace?.environments.findIndex(
-      ({ slug }) => slug === environmentSlug
-    );
-    if (envIndex === -1) {
-      throw new Error('Invalid environment given');
-    }
-
-    workspace.environments.splice(envIndex, 1);
-    await workspace.save();
-
-    // clean up
-    await Secret.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await SecretVersion.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceToken.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceTokenData.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await Integration.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await Membership.updateMany(
-      { workspace: workspaceId },
-      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
-    )
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to delete workspace environment',
-    });
+  // atomic update the env to avoid conflict
+  const workspace = await Workspace.findById(workspaceId).exec();
+  if (!workspace) {
+    throw new Error("Failed to create workspace environment");
   }
 
+  const envIndex = workspace?.environments.findIndex(
+    ({ slug }) => slug === environmentSlug
+  );
+  if (envIndex === -1) {
+    throw new Error("Invalid environment given");
+  }
+
+  workspace.environments.splice(envIndex, 1);
+  await workspace.save();
+
+  // clean up
+  await Secret.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await SecretVersion.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await ServiceToken.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await ServiceTokenData.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await Integration.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await Membership.updateMany(
+    { workspace: workspaceId },
+    { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
+  );
+
+  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
+
   return res.status(200).send({
-    message: 'Successfully deleted environment',
+    message: "Successfully deleted environment",
     workspace: workspaceId,
     environment: environmentSlug,
   });
@@ -229,7 +225,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
   const { workspaceId } = req.params;
   const workspacesUserIsMemberOf = await Membership.findOne({
     workspace: workspaceId,
-    user: req.user
+    user: req.user,
   })
 
   if (!workspacesUserIsMemberOf) {
@@ -253,7 +249,7 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
         name: environment.name,
         slug: environment.slug,
         isWriteDenied: isWriteBlocked,
-        isReadDenied: isReadBlocked
+        isReadDenied: isReadBlocked,
       })
     }
   })

backend/src/controllers/v2/index.ts

@@ -1,15 +1,14 @@
-import * as authController from './authController';
-import * as signupController from './signupController';
-import * as usersController from './usersController';
-import * as organizationsController from './organizationsController';
-import * as workspaceController from './workspaceController';
-import * as serviceTokenDataController from './serviceTokenDataController';
-import * as apiKeyDataController from './apiKeyDataController';
-import * as secretController from './secretController';
-import * as secretsController from './secretsController';
-import * as serviceAccountsController from './serviceAccountsController';
-import * as environmentController from './environmentController';
-import * as tagController from './tagController';
+import * as authController from "./authController";
+import * as signupController from "./signupController";
+import * as usersController from "./usersController";
+import * as organizationsController from "./organizationsController";
+import * as workspaceController from "./workspaceController";
+import * as serviceTokenDataController from "./serviceTokenDataController";
+import * as secretController from "./secretController";
+import * as secretsController from "./secretsController";
+import * as serviceAccountsController from "./serviceAccountsController";
+import * as environmentController from "./environmentController";
+import * as tagController from "./tagController";
 
 export {
     authController,
@@ -18,10 +17,9 @@ export {
     organizationsController,
     workspaceController,
     serviceTokenDataController,
-    apiKeyDataController,
     secretController,
     secretsController,
     serviceAccountsController,
     environmentController,
-    tagController
+    tagController,
 }

backend/src/controllers/v2/organizationsController.ts

@@ -1,14 +1,13 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
 import { 
-    MembershipOrg,
     Membership,
+    MembershipOrg,
+    ServiceAccount,
     Workspace,
-    ServiceAccount
-} from '../../models';
-import { deleteMembershipOrg } from '../../helpers/membershipOrg';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+} from "../../models";
+import { deleteMembershipOrg } from "../../helpers/membershipOrg";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 
 /**
  * Return memberships for organization with id [organizationId]
@@ -49,23 +48,14 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
         }
     }   
     */
-    let memberships;
-    try {
-        const { organizationId } = req.params;
+    const { organizationId } = req.params;
 
-		memberships = await MembershipOrg.find({
-			organization: organizationId
-		}).populate('user', '+publicKey');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization memberships'
-		});
-    }
+		const memberships = await MembershipOrg.find({
+			organization: organizationId,
+		}).populate("user", "+publicKey");
     
     return res.status(200).send({
-        memberships
+        memberships,
     });
 }
 
@@ -128,29 +118,20 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
         }
     }   
     */
-    let membership;
-    try {
-        const { membershipId } = req.params;
-        const { role } = req.body;
-        
-        membership = await MembershipOrg.findByIdAndUpdate(
-            membershipId,
-            {
-                role
-            }, {
-                new: true
-            }
-        );
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update organization membership'
-		});
-    }
+    const { membershipId } = req.params;
+    const { role } = req.body;
+    
+    const membership = await MembershipOrg.findByIdAndUpdate(
+        membershipId,
+        {
+            role,
+        }, {
+            new: true,
+        }
+    );
     
     return res.status(200).send({
-        membership
+        membership,
     });
 }
 
@@ -197,28 +178,19 @@ export const deleteOrganizationMembership = async (req: Request, res: Response)
         }
     }   
     */
-    let membership;
-    try {
-        const { membershipId } = req.params;
-        
-        // delete organization membership
-        membership = await deleteMembershipOrg({
-            membershipOrgId: membershipId
-        });
+    const { membershipId } = req.params;
+    
+    // delete organization membership
+    const membership = await deleteMembershipOrg({
+        membershipOrgId: membershipId,
+    });
 
-        await updateSubscriptionOrgQuantity({
-			organizationId: membership.organization.toString()
+    await updateSubscriptionOrgQuantity({
+			organizationId: membership.organization.toString(),
 		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization membership'
-		});	
-    }
 
     return res.status(200).send({
-        membership
+        membership,
     });
 }
 
@@ -268,23 +240,23 @@ export const getOrganizationWorkspaces = async (req: Request, res: Response) =>
         (
             await Workspace.find(
                 {
-                    organization: organizationId
+                    organization: organizationId,
                 },
-                '_id'
+                "_id"
             )
         ).map((w) => w._id.toString())
     );
 
     const workspaces = (
         await Membership.find({
-            user: req.user._id
-        }).populate('workspace')
+            user: req.user._id,
+        }).populate("workspace")
     )
     .filter((m) => workspacesSet.has(m.workspace._id.toString()))
     .map((m) => m.workspace);
 
 return res.status(200).send({
-        workspaces
+        workspaces,
     });
 }
 
@@ -297,10 +269,10 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response
     const { organizationId } = req.params;
     
     const serviceAccounts = await ServiceAccount.find({
-        organization: new Types.ObjectId(organizationId)
+        organization: new Types.ObjectId(organizationId),
     });
     
     return res.status(200).send({
-        serviceAccounts
+        serviceAccounts,
     });
-}
+}

backend/src/controllers/v2/secretController.ts

@@ -1,25 +1,39 @@
-import to from "await-to-js";
 import { Request, Response } from "express";
 import mongoose, { Types } from "mongoose";
 import Secret, { ISecret } from "../../models/secret";
-import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
+import {
+  CreateSecretRequestBody,
+  ModifySecretRequestBody,
+  SanitizedSecretForCreate,
+  SanitizedSecretModify
+} from "../../types/secret";
 const { ValidationError } = mongoose.Error;
-import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
-import { AnyBulkWriteOperation } from 'mongodb';
-import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
-import { TelemetryService } from '../../services';
+import {
+  BadRequestError,
+  InternalServerError,
+  ValidationError as RouteValidationError,
+  UnauthorizedRequestError
+} from "../../utils/errors";
+import { AnyBulkWriteOperation } from "mongodb";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  SECRET_PERSONAL,
+  SECRET_SHARED
+} from "../../variables";
+import { TelemetryService } from "../../services";
 import { User } from "../../models";
-import { AccountNotFoundError } from '../../utils/errors';
+import { AccountNotFoundError } from "../../utils/errors";
 
 /**
  * Create secret for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
 export const createSecret = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
   const secretToCreate: CreateSecretRequestBody = req.body.secret;
-  const { workspaceId, environment } = req.params
+  const { workspaceId, environment } = req.params;
   const sanitizedSecret: SanitizedSecretForCreate = {
     secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
     secretKeyIV: secretToCreate.secretKeyIV,
@@ -39,45 +53,41 @@ export const createSecret = async (req: Request, res: Response) => {
     user: new Types.ObjectId(req.user._id),
     algorithm: ALGORITHM_AES_256_GCM,
     keyEncoding: ENCODING_SCHEME_UTF8
-  }
+  };
 
-
-  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: error.message, stack: error.stack })
-  }
+  const secret = await new Secret(sanitizedSecret).save();
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets added',
+      event: "secrets added",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         workspaceId,
         environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
   res.status(200).send({
     secret
-  })
-}
+  });
+};
 
 /**
- * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
+ * Create many secrets for workspace with id [workspaceId] and environment [environment]
+ * @param req
+ * @param res
  */
 export const createSecrets = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
   const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
-  const { workspaceId, environment } = req.params
-  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
+  const { workspaceId, environment } = req.params;
+  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = [];
 
-  secretsToCreate.forEach(rawSecret => {
+  secretsToCreate.forEach((rawSecret) => {
     const safeUpdateFields: SanitizedSecretForCreate = {
       secretKeyCiphertext: rawSecret.secretKeyCiphertext,
       secretKeyIV: rawSecret.secretKeyIV,
@@ -97,140 +107,129 @@ export const createSecrets = async (req: Request, res: Response) => {
       user: new Types.ObjectId(req.user._id),
       algorithm: ALGORITHM_AES_256_GCM,
       keyEncoding: ENCODING_SCHEME_UTF8
-    }
+    };
 
-    sanitizedSecretesToCreate.push(safeUpdateFields)
-  })
+    sanitizedSecretesToCreate.push(safeUpdateFields);
+  });
 
-  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
-  if (bulkCreateError) {
-    if (bulkCreateError instanceof ValidationError) {
-      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
-    }
-
-    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
-  }
+  const secrets = await Secret.insertMany(sanitizedSecretesToCreate);
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets added',
+      event: "secrets added",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: (secretsToCreate ?? []).length,
         workspaceId,
         environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
   res.status(200).send({
     secrets
-  })
-}
+  });
+};
 
 /**
  * Delete secrets in workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
  */
 export const deleteSecrets = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
-  const secretIdsToDelete: string[] = req.body.secretIds
+  const { workspaceId, environmentName } = req.params;
+  const secretIdsToDelete: string[] = req.body.secretIds;
 
-  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanDeleteError) {
-    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
-  }
+  const secretIdsUserCanDelete = await Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
 
-  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
-  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
+  const secretsUserCanDeleteSet: Set<string> = new Set(
+    secretIdsUserCanDelete.map((objectId) => objectId._id.toString())
+  );
+  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = [];
 
   let numSecretsDeleted = 0;
-  secretIdsToDelete.forEach(secretIdToDelete => {
+  secretIdsToDelete.forEach((secretIdToDelete) => {
     if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
-      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
-      deleteOperationsToPerform.push(deleteOperation)
+      const deleteOperation = {
+        deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } }
+      };
+      deleteOperationsToPerform.push(deleteOperation);
       numSecretsDeleted++;
     } else {
-      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
+      throw RouteValidationError({
+        message: "You cannot delete secrets that you do not have access to"
+      });
     }
-  })
+  });
 
-  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
-  if (bulkDeleteError) {
-    if (bulkDeleteError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
-    }
-    throw InternalServerError()
-  }
+  await Secret.bulkWrite(deleteOperationsToPerform);
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets deleted',
+      event: "secrets deleted",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: numSecretsDeleted,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
-  res.status(200).send()
-}
+  res.status(200).send();
+};
 
 /**
  * Delete secret with id [secretId]
- * @param req 
+ * @param req
  * @param res
  */
 export const deleteSecret = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
-  await Secret.findByIdAndDelete(req._secret._id)
+  await Secret.findByIdAndDelete(req._secret._id);
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets deleted',
+      event: "secrets deleted",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         workspaceId: req._secret.workspace.toString(),
         environment: req._secret.environment,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
   res.status(200).send({
     secret: req._secret
-  })
-}
+  });
+};
 
 /**
  * Update secrets for workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const updateSecrets = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
+  const { workspaceId, environmentName } = req.params;
   const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
-  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdsUserCanModifyError) {
-    throw InternalServerError({ message: "Unable to fetch secrets you own" })
-  }
+  const secretIdsUserCanModify = await Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
 
-  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
-  const updateOperationsToPerform: any = []
+  const secretsUserCanModifySet: Set<string> = new Set(
+    secretIdsUserCanModify.map((objectId) => objectId._id.toString())
+  );
+  const updateOperationsToPerform: any = [];
 
-  secretsModificationsRequested.forEach(userModifiedSecret => {
+  secretsModificationsRequested.forEach((userModifiedSecret) => {
     if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
       const sanitizedSecret: SanitizedSecretModify = {
         secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
@@ -244,57 +243,54 @@ export const updateSecrets = async (req: Request, res: Response) => {
         secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
         secretCommentIV: userModifiedSecret.secretCommentIV,
         secretCommentTag: userModifiedSecret.secretCommentTag,
-        secretCommentHash: userModifiedSecret.secretCommentHash,
-      }
+        secretCommentHash: userModifiedSecret.secretCommentHash
+      };
 
-      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
-      updateOperationsToPerform.push(updateOperation)
+      const updateOperation = {
+        updateOne: {
+          filter: { _id: userModifiedSecret._id, workspace: workspaceId },
+          update: { $inc: { version: 1 }, $set: sanitizedSecret }
+        }
+      };
+      updateOperationsToPerform.push(updateOperation);
     } else {
-      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
+      throw UnauthorizedRequestError({
+        message: "You do not have permission to modify one or more of the requested secrets"
+      });
     }
-  })
+  });
 
-  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
-  if (bulkModificationInfoError) {
-    if (bulkModificationInfoError instanceof ValidationError) {
-      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
-    }
-
-    throw InternalServerError()
-  }
+  await Secret.bulkWrite(updateOperationsToPerform);
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets modified',
+      event: "secrets modified",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: (secretsModificationsRequested ?? []).length,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
-  return res.status(200).send()
-}
+  return res.status(200).send();
+};
 
 /**
  * Update a secret within workspace with id [workspaceId] and environment [environment]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const updateSecret = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
-  const { workspaceId, environmentName } = req.params
+  const { workspaceId, environmentName } = req.params;
   const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
 
-  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
-  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
-    throw BadRequestError()
-  }
+  await Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 });
 
   const sanitizedSecret: SanitizedSecretModify = {
     secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
@@ -308,45 +304,55 @@ export const updateSecret = async (req: Request, res: Response) => {
     secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
     secretCommentIV: secretModificationsRequested.secretCommentIV,
     secretCommentTag: secretModificationsRequested.secretCommentTag,
-    secretCommentHash: secretModificationsRequested.secretCommentHash,
-  }
+    secretCommentHash: secretModificationsRequested.secretCommentHash
+  };
 
-  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
-  if (error instanceof ValidationError) {
-    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
-  }
+  const singleModificationUpdate = await Secret.updateOne(
+    { _id: secretModificationsRequested._id, workspace: workspaceId },
+    { $inc: { version: 1 }, $set: sanitizedSecret }
+  )
+  .catch((error) => {
+    if (error instanceof ValidationError) {
+      throw RouteValidationError({
+        message: "Unable to apply modifications, please try again",
+        stack: error.stack
+      });
+    }
+
+    throw error;
+  });
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets modified',
+      event: "secrets modified",
       distinctId: req.user.email,
       properties: {
         numberOfSecrets: 1,
         environment: environmentName,
         workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
-  return res.status(200).send(singleModificationUpdate)
-}
+  return res.status(200).send(singleModificationUpdate);
+};
 
 /**
  * Return secrets for workspace with id [workspaceId], environment [environment] and user
  * with id [req.user._id]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getSecrets = async (req: Request, res: Response) => {
   const postHogClient = await TelemetryService.getPostHogClient();
   const { environment } = req.query;
   const { workspaceId } = req.params;
 
-  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: string | undefined = undefined // used for posthog 
+  let userId: Types.ObjectId | undefined = undefined; // used for getting personal secrets for user
+  let userEmail: string | undefined = undefined; // used for posthog
   if (req.user) {
     userId = req.user._id;
     userEmail = req.user.email;
@@ -354,47 +360,47 @@ export const getSecrets = async (req: Request, res: Response) => {
 
   if (req.serviceTokenData) {
     userId = req.serviceTokenData.user;
-    
-    const user = await User.findById(req.serviceTokenData.user, 'email');
+
+    const user = await User.findById(req.serviceTokenData.user, "email");
     if (!user) throw AccountNotFoundError();
     userEmail = user.email;
   }
 
-  const [err, secrets] = await to(Secret.find(
-    {
-      workspace: workspaceId,
-      environment,
-      $or: [{ user: userId }, { user: { $exists: false } }],
-      type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-    }
-  ).then())
-
-  if (err) {
-    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
-  }
+  const secrets = await Secret.find({
+    workspace: workspaceId,
+    environment,
+    $or: [{ user: userId }, { user: { $exists: false } }],
+    type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+  })
+  .catch((err) => {
+    throw RouteValidationError({
+      message: "Failed to get secrets, please try again",
+      stack: err.stack
+    });
+  })
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets pulled',
+      event: "secrets pulled",
       distinctId: userEmail,
       properties: {
         numberOfSecrets: (secrets ?? []).length,
         environment,
         workspaceId,
-        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
-        userAgent: req.headers?.['user-agent']
+        channel: req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli",
+        userAgent: req.headers?.["user-agent"]
       }
     });
   }
 
-  return res.json(secrets)
-}
+  return res.json(secrets);
+};
 
 /**
  * Return secret with id [secretId]
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getSecret = async (req: Request, res: Response) => {
   // if (postHogClient) {
@@ -414,4 +420,4 @@ export const getSecret = async (req: Request, res: Response) => {
   return res.status(200).send({
     secret: req._secret
   });
-}
+};

backend/src/controllers/v2/secretsController.ts

@@ -1,36 +1,38 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
-import { ISecret, Secret } from "../../models";
+import { ISecret, Secret, ServiceTokenData } from "../../models";
 import { IAction, SecretVersion } from "../../ee/models";
 import {
-  SECRET_PERSONAL,
   ACTION_ADD_SECRETS,
+  ACTION_DELETE_SECRETS,
   ACTION_READ_SECRETS,
   ACTION_UPDATE_SECRETS,
-  ACTION_DELETE_SECRETS,
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
+  SECRET_PERSONAL
 } from "../../variables";
 import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 import { EventService } from "../../services";
 import { eventPushSecrets } from "../../events";
-import { EESecretService, EELogService } from "../../ee/services";
-import { TelemetryService, SecretService } from "../../services";
+import { EELogService, EESecretService } from "../../ee/services";
+import { SecretService, TelemetryService } from "../../services";
 import { getChannelFromUserAgent } from "../../utils/posthog";
 import { PERMISSION_WRITE_SECRETS } from "../../variables";
 import {
   userHasNoAbility,
   userHasWorkspaceAccess,
-  userHasWriteOnlyAbility,
+  userHasWriteOnlyAbility
 } from "../../ee/helpers/checkMembershipPermissions";
 import Tag from "../../models/tag";
 import _ from "lodash";
-import { BatchSecretRequest, BatchSecret } from "../../types/secret";
+import { BatchSecret, BatchSecretRequest } from "../../types/secret";
 import Folder from "../../models/folder";
 import {
   getFolderByPath,
-  searchByFolderId,
+  getFolderIdFromServiceToken,
+  searchByFolderId
 } from "../../services/FolderService";
+import { isValidScope } from "../../helpers/secrets";
 
 /**
  * Peform a batch of any specified CUD secret operations
@@ -45,14 +47,15 @@ export const batchSecrets = async (req: Request, res: Response) => {
   const {
     workspaceId,
     environment,
-    folderId,
     requests,
+    secretPath
   }: {
     workspaceId: string;
     environment: string;
-    folderId: string;
     requests: BatchSecretRequest[];
+    secretPath: string;
   } = req.body;
+  let folderId = req.body.folderId as string;
 
   const createSecrets: BatchSecret[] = [];
   const updateSecrets: BatchSecret[] = [];
@@ -61,7 +64,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
 
   // get secret blind index salt
   const salt = await SecretService.getSecretBlindIndexSalt({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
   });
 
   const folders = await Folder.findOne({ workspace: workspaceId, environment });
@@ -70,18 +73,30 @@ export const batchSecrets = async (req: Request, res: Response) => {
     if (!folder) throw BadRequestError({ message: "Folder not found" });
   }
 
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const isValidScopeAccess = isValidScope(req.authData.authPayload, environment, secretPath);
+
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if ((!secretPath && folderId !== "root") || (secretPath && !isValidScopeAccess)) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
+  if (secretPath) {
+    folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);
+  }
+
   for await (const request of requests) {
     // do a validation
 
     let secretBlindIndex = "";
     switch (request.method) {
       case "POST":
-        secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt(
-          {
-            secretName: request.secret.secretName,
-            salt,
-          }
-        );
+        secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+          secretName: request.secret.secretName,
+          salt
+        });
 
         createSecrets.push({
           ...request.secret,
@@ -92,16 +107,14 @@ export const batchSecrets = async (req: Request, res: Response) => {
           folder: folderId,
           secretBlindIndex,
           algorithm: ALGORITHM_AES_256_GCM,
-          keyEncoding: ENCODING_SCHEME_UTF8,
+          keyEncoding: ENCODING_SCHEME_UTF8
         });
         break;
       case "PATCH":
-        secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt(
-          {
-            secretName: request.secret.secretName,
-            salt,
-          }
-        );
+        secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+          secretName: request.secret.secretName,
+          salt
+        });
 
         updateSecrets.push({
           ...request.secret,
@@ -109,7 +122,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
           secretBlindIndex,
           folder: folderId,
           algorithm: ALGORITHM_AES_256_GCM,
-          keyEncoding: ENCODING_SCHEME_UTF8,
+          keyEncoding: ENCODING_SCHEME_UTF8
         });
         break;
       case "DELETE":
@@ -129,9 +142,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
           ...n._doc,
           _id: new Types.ObjectId(),
           secret: n._id,
-          isDeleted: false,
+          isDeleted: false
         };
-      }),
+      })
     });
 
     const addAction = (await EELogService.createAction({
@@ -140,7 +153,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
       serviceAccountId: req.serviceAccount?._id,
       serviceTokenDataId: req.serviceTokenData?._id,
       workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: createdSecrets.map((n) => n._id),
+      secretIds: createdSecrets.map((n) => n._id)
     })) as IAction;
     actions.push(addAction);
 
@@ -152,9 +165,10 @@ export const batchSecrets = async (req: Request, res: Response) => {
           numberOfSecrets: createdSecrets.length,
           environment,
           workspaceId,
+          folderId,
           channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
       });
     }
   }
@@ -173,7 +187,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
     listedSecretsObj = req.secrets.reduce(
       (obj: any, secret: ISecret) => ({
         ...obj,
-        [secret._id.toString()]: secret,
+        [secret._id.toString()]: secret
       }),
       {}
     );
@@ -182,16 +196,16 @@ export const batchSecrets = async (req: Request, res: Response) => {
       updateOne: {
         filter: {
           _id: new Types.ObjectId(u._id),
-          workspace: new Types.ObjectId(workspaceId),
+          workspace: new Types.ObjectId(workspaceId)
         },
         update: {
           $inc: {
-            version: 1,
+            version: 1
           },
           ...u,
-          _id: new Types.ObjectId(u._id),
-        },
-      },
+          _id: new Types.ObjectId(u._id)
+        }
+      }
     }));
 
     await Secret.bulkWrite(updateOperations);
@@ -218,24 +232,25 @@ export const batchSecrets = async (req: Request, res: Response) => {
           algorithm: ALGORITHM_AES_256_GCM,
           keyEncoding: ENCODING_SCHEME_UTF8,
           tags: u.tags,
+          folder: u.folder
         })
     );
 
     await EESecretService.addSecretVersions({
-      secretVersions,
+      secretVersions
     });
 
     updatedSecrets = await Secret.find({
       _id: {
-        $in: updateSecrets.map((u) => new Types.ObjectId(u._id)),
-      },
+        $in: updateSecrets.map((u) => new Types.ObjectId(u._id))
+      }
     });
 
     const updateAction = (await EELogService.createAction({
       name: ACTION_UPDATE_SECRETS,
       userId: req.user._id,
       workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: updatedSecrets.map((u) => u._id),
+      secretIds: updatedSecrets.map((u) => u._id)
     })) as IAction;
     actions.push(updateAction);
 
@@ -247,9 +262,10 @@ export const batchSecrets = async (req: Request, res: Response) => {
           numberOfSecrets: updateSecrets.length,
           environment,
           workspaceId,
+          folderId,
           channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
       });
     }
   }
@@ -258,19 +274,19 @@ export const batchSecrets = async (req: Request, res: Response) => {
   if (deleteSecrets.length > 0) {
     await Secret.deleteMany({
       _id: {
-        $in: deleteSecrets,
-      },
+        $in: deleteSecrets
+      }
     });
 
     await EESecretService.markDeletedSecretVersions({
-      secretIds: deleteSecrets,
+      secretIds: deleteSecrets
     });
 
     const deleteAction = (await EELogService.createAction({
       name: ACTION_DELETE_SECRETS,
       userId: req.user._id,
       workspaceId: new Types.ObjectId(workspaceId),
-      secretIds: deleteSecrets,
+      secretIds: deleteSecrets
     })) as IAction;
     actions.push(deleteAction);
 
@@ -283,8 +299,8 @@ export const batchSecrets = async (req: Request, res: Response) => {
           environment,
           workspaceId,
           channel: channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
       });
     }
   }
@@ -296,22 +312,22 @@ export const batchSecrets = async (req: Request, res: Response) => {
       workspaceId: new Types.ObjectId(workspaceId),
       actions,
       channel,
-      ipAddress: req.ip,
+      ipAddress: req.realIP
     });
   }
 
   // // trigger event - push secrets
   await EventService.handleEvent({
     event: eventPushSecrets({
-      workspaceId: new Types.ObjectId(workspaceId),
-    }),
+      workspaceId: new Types.ObjectId(workspaceId)
+    })
   });
 
   // (EE) take a secret snapshot
   await EESecretService.takeSecretSnapshot({
     workspaceId: new Types.ObjectId(workspaceId),
     environment,
-    folderId,
+    folderId
   });
 
   const resObj: { [key: string]: ISecret[] | string[] } = {};
@@ -394,8 +410,13 @@ export const createSecrets = async (req: Request, res: Response) => {
   const {
     workspaceId,
     environment,
-    folderId,
-  }: { workspaceId: string; environment: string; folderId: string } = req.body;
+    secretPath
+  }: {
+    workspaceId: string;
+    environment: string;
+    secretPath?: string;
+  } = req.body;
+  let folderId = req.body.folderId;
 
   if (req.user) {
     const hasAccess = await userHasWorkspaceAccess(
@@ -406,8 +427,7 @@ export const createSecrets = async (req: Request, res: Response) => {
     );
     if (!hasAccess) {
       throw UnauthorizedRequestError({
-        message:
-          "You do not have the necessary permission(s) perform this action",
+        message: "You do not have the necessary permission(s) perform this action"
       });
     }
   }
@@ -421,9 +441,26 @@ export const createSecrets = async (req: Request, res: Response) => {
     listOfSecretsToCreate = [req.body.secrets];
   }
 
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      environment,
+      secretPath || "/"
+    );
+
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if ((!secretPath && folderId !== "root") || (secretPath && !isValidScopeAccess)) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  if (secretPath) {
+    folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);
+  }
+
   // get secret blind index salt
   const salt = await SecretService.getSecretBlindIndexSalt({
-    workspaceId: new Types.ObjectId(workspaceId),
+    workspaceId: new Types.ObjectId(workspaceId)
   });
 
   type secretsToCreateType = {
@@ -455,15 +492,14 @@ export const createSecrets = async (req: Request, res: Response) => {
         secretCommentCiphertext,
         secretCommentIV,
         secretCommentTag,
-        tags,
+        tags
       }: secretsToCreateType) => {
         let secretBlindIndex;
         if (secretName) {
-          secretBlindIndex =
-            await SecretService.generateSecretBlindIndexWithSalt({
-              secretName,
-              salt,
-            });
+          secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+            secretName,
+            salt
+          });
         }
 
         return {
@@ -485,22 +521,22 @@ export const createSecrets = async (req: Request, res: Response) => {
           secretCommentTag,
           algorithm: ALGORITHM_AES_256_GCM,
           keyEncoding: ENCODING_SCHEME_UTF8,
-          tags,
+          tags
         };
       }
     )
   );
 
-  const newlyCreatedSecrets: ISecret[] = (
-    await Secret.insertMany(secretsToInsert)
-  ).map((insertedSecret) => insertedSecret.toObject());
+  const newlyCreatedSecrets: ISecret[] = (await Secret.insertMany(secretsToInsert)).map(
+    (insertedSecret) => insertedSecret.toObject()
+  );
 
   setTimeout(async () => {
     // trigger event - push secrets
     await EventService.handleEvent({
       event: eventPushSecrets({
-        workspaceId: new Types.ObjectId(workspaceId),
-      }),
+        workspaceId: new Types.ObjectId(workspaceId)
+      })
     });
   }, 5000);
 
@@ -520,7 +556,7 @@ export const createSecrets = async (req: Request, res: Response) => {
         secretKeyTag,
         secretValueCiphertext,
         secretValueIV,
-        secretValueTag,
+        secretValueTag
       }) =>
         new SecretVersion({
           secret: _id,
@@ -539,9 +575,9 @@ export const createSecrets = async (req: Request, res: Response) => {
           secretValueTag,
           folder: folderId,
           algorithm: ALGORITHM_AES_256_GCM,
-          keyEncoding: ENCODING_SCHEME_UTF8,
+          keyEncoding: ENCODING_SCHEME_UTF8
         })
-    ),
+    )
   });
 
   const addAction = await EELogService.createAction({
@@ -550,7 +586,7 @@ export const createSecrets = async (req: Request, res: Response) => {
     serviceAccountId: req.serviceAccount?._id,
     serviceTokenDataId: req.serviceTokenData?._id,
     workspaceId: new Types.ObjectId(workspaceId),
-    secretIds: newlyCreatedSecrets.map((n) => n._id),
+    secretIds: newlyCreatedSecrets.map((n) => n._id)
   });
 
   // (EE) create (audit) log
@@ -562,14 +598,14 @@ export const createSecrets = async (req: Request, res: Response) => {
       workspaceId: new Types.ObjectId(workspaceId),
       actions: [addAction],
       channel,
-      ipAddress: req.ip,
+      ipAddress: req.realIP
     }));
 
   // (EE) take a secret snapshot
   await EESecretService.takeSecretSnapshot({
     workspaceId: new Types.ObjectId(workspaceId),
     environment,
-    folderId,
+    folderId
   });
 
   const postHogClient = await TelemetryService.getPostHogClient();
@@ -577,20 +613,21 @@ export const createSecrets = async (req: Request, res: Response) => {
     postHogClient.capture({
       event: "secrets added",
       distinctId: await TelemetryService.getDistinctId({
-        authData: req.authData,
+        authData: req.authData
       }),
       properties: {
         numberOfSecrets: listOfSecretsToCreate.length,
         environment,
         workspaceId,
         channel: channel,
-        userAgent: req.headers?.["user-agent"],
-      },
+        folderId,
+        userAgent: req.headers?.["user-agent"]
+      }
     });
   }
 
   return res.status(200).send({
-    secrets: newlyCreatedSecrets,
+    secrets: newlyCreatedSecrets
   });
 };
 
@@ -648,22 +685,38 @@ export const getSecrets = async (req: Request, res: Response) => {
   const environment = req.query.environment as string;
 
   const folders = await Folder.findOne({ workspace: workspaceId, environment });
-  if (
-    (!folders && folderId && folderId !== "root") ||
-    (!folders && secretPath)
-  ) {
-    throw BadRequestError({ message: "Folder not found" });
+  if ((!folders && folderId && folderId !== "root") || (!folders && secretPath)) {
+    res.send({ secrets: [] });
+    return;
   }
   if (folders && folderId !== "root") {
     const folder = searchByFolderId(folders.nodes, folderId as string);
-    if (!folder) throw BadRequestError({ message: "Folder not found" });
+    if (!folder) {
+      res.send({ secrets: [] });
+      return;
+    }
+  }
+
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const isValidScopeAccess = isValidScope(
+      req.authData.authPayload,
+      environment,
+      (secretPath as string) || "/"
+    );
+
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if ((!secretPath && folderId !== "root") || (secretPath && !isValidScopeAccess)) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
   }
 
   if (folders && secretPath) {
-    if (!folders) throw BadRequestError({ message: "Folder not found" });
+    // avoid throwing error and send empty list
     const folder = getFolderByPath(folders.nodes, secretPath as string);
     if (!folder) {
-      throw BadRequestError({ message: "Secret path not found" });
+      res.send({ secrets: [] });
+      return;
     }
     folderId = folder.id;
   }
@@ -673,8 +726,7 @@ export const getSecrets = async (req: Request, res: Response) => {
 
   // query tags table to get all tags ids for the tag names for the given workspace
   let tagIds = [];
-  const tagNamesList =
-    typeof tagSlugs === "string" && tagSlugs !== "" ? tagSlugs.split(",") : [];
+  const tagNamesList = typeof tagSlugs === "string" && tagSlugs !== "" ? tagSlugs.split(",") : [];
   if (tagNamesList != undefined && tagNamesList.length != 0) {
     const workspaceFromDB = await Tag.find({ workspace: workspaceId });
     tagIds = _.map(tagNamesList, (tagName: string) => {
@@ -697,8 +749,7 @@ export const getSecrets = async (req: Request, res: Response) => {
     );
     if (hasNoAccess) {
       throw UnauthorizedRequestError({
-        message:
-          "You do not have the necessary permission(s) perform this action",
+        message: "You do not have the necessary permission(s) perform this action"
       });
     }
 
@@ -708,8 +759,8 @@ export const getSecrets = async (req: Request, res: Response) => {
       folder: folderId,
       $or: [
         { user: req.user._id }, // personal secrets for this user
-        { user: { $exists: false } }, // shared secrets from workspace
-      ],
+        { user: { $exists: false } } // shared secrets from workspace
+      ]
     };
 
     if (tagIds.length > 0) {
@@ -736,8 +787,8 @@ export const getSecrets = async (req: Request, res: Response) => {
       environment,
       $or: [
         { user: userId }, // personal secrets for this user
-        { user: { $exists: false } }, // shared secrets from workspace
-      ],
+        { user: { $exists: false } } // shared secrets from workspace
+      ]
     };
 
     if (tagIds.length > 0) {
@@ -755,7 +806,7 @@ export const getSecrets = async (req: Request, res: Response) => {
       workspace: workspaceId,
       environment,
       folder: folderId,
-      user: { $exists: false }, // shared secrets only from workspace
+      user: { $exists: false } // shared secrets only from workspace
     };
 
     if (tagIds.length > 0) {
@@ -773,7 +824,7 @@ export const getSecrets = async (req: Request, res: Response) => {
     serviceAccountId: req.serviceAccount?._id,
     serviceTokenDataId: req.serviceTokenData?._id,
     workspaceId: new Types.ObjectId(workspaceId as string),
-    secretIds: secrets.map((n: any) => n._id),
+    secretIds: secrets.map((n: any) => n._id)
   });
 
   readAction &&
@@ -784,7 +835,7 @@ export const getSecrets = async (req: Request, res: Response) => {
       workspaceId: new Types.ObjectId(workspaceId as string),
       actions: [readAction],
       channel,
-      ipAddress: req.ip,
+      ipAddress: req.realIP
     }));
 
   const postHogClient = await TelemetryService.getPostHogClient();
@@ -792,20 +843,21 @@ export const getSecrets = async (req: Request, res: Response) => {
     postHogClient.capture({
       event: "secrets pulled",
       distinctId: await TelemetryService.getDistinctId({
-        authData: req.authData,
+        authData: req.authData
       }),
       properties: {
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
         channel,
-        userAgent: req.headers?.["user-agent"],
-      },
+        folderId,
+        userAgent: req.headers?.["user-agent"]
+      }
     });
   }
 
   return res.status(200).send({
-    secrets,
+    secrets
   });
 };
 
@@ -859,9 +911,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
         }
     }
     */
-  const channel = req.headers?.["user-agent"]?.toLowerCase().includes("mozilla")
-    ? "web"
-    : "cli";
+  const channel = req.headers?.["user-agent"]?.toLowerCase().includes("mozilla") ? "web" : "cli";
 
   interface PatchSecret {
     id: string;
@@ -877,51 +927,47 @@ export const updateSecrets = async (req: Request, res: Response) => {
     tags: string[];
   }
 
-  const updateOperationsToPerform = req.body.secrets.map(
-    (secret: PatchSecret) => {
-      const {
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag,
-        tags,
-      } = secret;
+  const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
+    const {
+      secretKeyCiphertext,
+      secretKeyIV,
+      secretKeyTag,
+      secretValueCiphertext,
+      secretValueIV,
+      secretValueTag,
+      secretCommentCiphertext,
+      secretCommentIV,
+      secretCommentTag,
+      tags
+    } = secret;
 
-      return {
-        updateOne: {
-          filter: { _id: new Types.ObjectId(secret.id) },
-          update: {
-            $inc: {
-              version: 1,
-            },
-            secretKeyCiphertext,
-            secretKeyIV,
-            secretKeyTag,
-            secretValueCiphertext,
-            secretValueIV,
-            secretValueTag,
-            algorithm: ALGORITHM_AES_256_GCM,
-            keyEncoding: ENCODING_SCHEME_UTF8,
-            tags,
-            ...(secretCommentCiphertext !== undefined &&
-            secretCommentIV &&
-            secretCommentTag
-              ? {
-                  secretCommentCiphertext,
-                  secretCommentIV,
-                  secretCommentTag,
-                }
-              : {}),
+    return {
+      updateOne: {
+        filter: { _id: new Types.ObjectId(secret.id) },
+        update: {
+          $inc: {
+            version: 1
           },
-        },
-      };
-    }
-  );
+          secretKeyCiphertext,
+          secretKeyIV,
+          secretKeyTag,
+          secretValueCiphertext,
+          secretValueIV,
+          secretValueTag,
+          algorithm: ALGORITHM_AES_256_GCM,
+          keyEncoding: ENCODING_SCHEME_UTF8,
+          tags,
+          ...(secretCommentCiphertext !== undefined && secretCommentIV && secretCommentTag
+            ? {
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag
+              }
+            : {})
+        }
+      }
+    };
+  });
 
   await Secret.bulkWrite(updateOperationsToPerform);
 
@@ -943,7 +989,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
         secretCommentCiphertext,
         secretCommentIV,
         secretCommentTag,
-        tags,
+        tags
       } = secretModificationsBySecretId[secret._id.toString()];
 
       return {
@@ -952,9 +998,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
         workspace: secret.workspace,
         type: secret.type,
         environment: secret.environment,
-        secretKeyCiphertext: secretKeyCiphertext
-          ? secretKeyCiphertext
-          : secret.secretKeyCiphertext,
+        secretKeyCiphertext: secretKeyCiphertext ? secretKeyCiphertext : secret.secretKeyCiphertext,
         secretKeyIV: secretKeyIV ? secretKeyIV : secret.secretKeyIV,
         secretKeyTag: secretKeyTag ? secretKeyTag : secret.secretKeyTag,
         secretValueCiphertext: secretValueCiphertext
@@ -965,17 +1009,13 @@ export const updateSecrets = async (req: Request, res: Response) => {
         secretCommentCiphertext: secretCommentCiphertext
           ? secretCommentCiphertext
           : secret.secretCommentCiphertext,
-        secretCommentIV: secretCommentIV
-          ? secretCommentIV
-          : secret.secretCommentIV,
-        secretCommentTag: secretCommentTag
-          ? secretCommentTag
-          : secret.secretCommentTag,
+        secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
+        secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
         tags: tags ? tags : secret.tags,
         algorithm: ALGORITHM_AES_256_GCM,
-        keyEncoding: ENCODING_SCHEME_UTF8,
+        keyEncoding: ENCODING_SCHEME_UTF8
       };
-    }),
+    })
   };
 
   await EESecretService.addSecretVersions(secretVersions);
@@ -996,8 +1036,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
     setTimeout(async () => {
       await EventService.handleEvent({
         event: eventPushSecrets({
-          workspaceId: new Types.ObjectId(key),
-        }),
+          workspaceId: new Types.ObjectId(key)
+        })
       });
     }, 10000);
 
@@ -1007,7 +1047,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
       serviceAccountId: req.serviceAccount?._id,
       serviceTokenDataId: req.serviceTokenData?._id,
       workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id),
+      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
     });
 
     // (EE) create (audit) log
@@ -1019,7 +1059,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
         workspaceId: new Types.ObjectId(key),
         actions: [updateAction],
         channel,
-        ipAddress: req.ip,
+        ipAddress: req.realIP
       }));
 
     // (EE) take a secret snapshot
@@ -1035,15 +1075,15 @@ export const updateSecrets = async (req: Request, res: Response) => {
       postHogClient.capture({
         event: "secrets modified",
         distinctId: await TelemetryService.getDistinctId({
-          authData: req.authData,
+          authData: req.authData
         }),
         properties: {
           numberOfSecrets: workspaceSecretObj[key].length,
           environment: workspaceSecretObj[key][0].environment,
           workspaceId: key,
           channel: channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
       });
     }
   });
@@ -1051,9 +1091,9 @@ export const updateSecrets = async (req: Request, res: Response) => {
   return res.status(200).send({
     secrets: await Secret.find({
       _id: {
-        $in: req.secrets.map((secret: ISecret) => secret._id),
-      },
-    }),
+        $in: req.secrets.map((secret: ISecret) => secret._id)
+      }
+    })
   });
 };
 
@@ -1113,12 +1153,12 @@ export const deleteSecrets = async (req: Request, res: Response) => {
 
   await Secret.deleteMany({
     _id: {
-      $in: toDelete,
-    },
+      $in: toDelete
+    }
   });
 
   await EESecretService.markDeletedSecretVersions({
-    secretIds: toDelete,
+    secretIds: toDelete
   });
 
   // group secrets into workspaces so deleted secrets can
@@ -1136,8 +1176,8 @@ export const deleteSecrets = async (req: Request, res: Response) => {
     // trigger event - push secrets
     await EventService.handleEvent({
       event: eventPushSecrets({
-        workspaceId: new Types.ObjectId(key),
-      }),
+        workspaceId: new Types.ObjectId(key)
+      })
     });
     const deleteAction = await EELogService.createAction({
       name: ACTION_DELETE_SECRETS,
@@ -1145,7 +1185,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
       serviceAccountId: req.serviceAccount?._id,
       serviceTokenDataId: req.serviceTokenData?._id,
       workspaceId: new Types.ObjectId(key),
-      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id),
+      secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
     });
 
     // (EE) create (audit) log
@@ -1157,7 +1197,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
         workspaceId: new Types.ObjectId(key),
         actions: [deleteAction],
         channel,
-        ipAddress: req.ip,
+        ipAddress: req.realIP
       }));
 
     // (EE) take a secret snapshot
@@ -1171,20 +1211,20 @@ export const deleteSecrets = async (req: Request, res: Response) => {
       postHogClient.capture({
         event: "secrets deleted",
         distinctId: await TelemetryService.getDistinctId({
-          authData: req.authData,
+          authData: req.authData
         }),
         properties: {
           numberOfSecrets: workspaceSecretObj[key].length,
           environment: workspaceSecretObj[key][0].environment,
           workspaceId: key,
           channel: channel,
-          userAgent: req.headers?.["user-agent"],
-        },
+          userAgent: req.headers?.["user-agent"]
+        }
       });
     }
   });
 
   return res.status(200).send({
-    secrets: req.secrets,
+    secrets: req.secrets
   });
 };

backend/src/controllers/v2/serviceAccountsController.ts

@@ -1,18 +1,18 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
 import { 
     ServiceAccount,
     ServiceAccountKey,
     ServiceAccountOrganizationPermission,
-    ServiceAccountWorkspacePermission
-} from '../../models';
+    ServiceAccountWorkspacePermission,
+} from "../../models";
 import {
-    CreateServiceAccountDto
-} from '../../interfaces/serviceAccounts/dto';
-import { BadRequestError, ServiceAccountNotFoundError } from '../../utils/errors';
-import { getSaltRounds } from '../../config';
+    CreateServiceAccountDto,
+} from "../../interfaces/serviceAccounts/dto";
+import { BadRequestError, ServiceAccountNotFoundError } from "../../utils/errors";
+import { getSaltRounds } from "../../config";
 
 /**
  * Return service account tied to the request (service account) client
@@ -23,11 +23,11 @@ export const getCurrentServiceAccount = async (req: Request, res: Response) => {
     const serviceAccount = await ServiceAccount.findById(req.serviceAccount._id);
     
     if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
     }
     
     return res.status(200).send({
-        serviceAccount
+        serviceAccount,
     });
 }
 
@@ -42,11 +42,11 @@ export const getServiceAccountById = async (req: Request, res: Response) => {
     const serviceAccount = await ServiceAccount.findById(serviceAccountId);
     
     if (!serviceAccount) {
-        throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+        throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
     }
     
     return res.status(200).send({
-        serviceAccount
+        serviceAccount,
     });
 }
 
@@ -71,7 +71,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
         expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
     }
 
-    const secret = crypto.randomBytes(16).toString('base64');
+    const secret = crypto.randomBytes(16).toString("base64");
     const secretHash = await bcrypt.hash(secret, await getSaltRounds());
     
     // create service account
@@ -82,7 +82,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
         publicKey,
         lastUsed: new Date(),
         expiresAt,
-        secretHash
+        secretHash,
     }).save();
     
     const serviceAccountObj = serviceAccount.toObject();
@@ -91,14 +91,14 @@ export const createServiceAccount = async (req: Request, res: Response) => {
 
     // provision default org-level permission for service account
     await new ServiceAccountOrganizationPermission({
-        serviceAccount: serviceAccount._id
+        serviceAccount: serviceAccount._id,
     }).save();
     
-    const secretId = Buffer.from(serviceAccount._id.toString(), 'hex').toString('base64');
+    const secretId = Buffer.from(serviceAccount._id.toString(), "hex").toString("base64");
 
     return res.status(200).send({
         serviceAccountAccessKey: `sa.${secretId}.${secret}`,
-        serviceAccount: serviceAccountObj
+        serviceAccount: serviceAccountObj,
     });
 }
 
@@ -114,18 +114,18 @@ export const changeServiceAccountName = async (req: Request, res: Response) => {
     
     const serviceAccount = await ServiceAccount.findOneAndUpdate(
         {
-            _id: new Types.ObjectId(serviceAccountId)
+            _id: new Types.ObjectId(serviceAccountId),
         },
         {
-            name
+            name,
         },
         {
-            new: true
+            new: true,
         }
     );
     
     return res.status(200).send({
-        serviceAccount
+        serviceAccount,
     });
 }
 
@@ -140,7 +140,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
     const {
         workspaceId,
         encryptedKey,
-        nonce
+        nonce,
     } = req.body;
     
     const serviceAccountKey = await new ServiceAccountKey({
@@ -148,7 +148,7 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
         nonce,
         sender: req.user._id,
         serviceAccount: req.serviceAccount._d,
-        workspace: new Types.ObjectId(workspaceId)
+        workspace: new Types.ObjectId(workspaceId),
     }).save();
 
     return serviceAccountKey;
@@ -161,11 +161,11 @@ export const addServiceAccountKey = async (req: Request, res: Response) => {
  */
 export const getServiceAccountWorkspacePermissions = async (req: Request, res: Response) => {
     const serviceAccountWorkspacePermissions = await ServiceAccountWorkspacePermission.find({
-        serviceAccount: req.serviceAccount._id
-    }).populate('workspace');
+        serviceAccount: req.serviceAccount._id,
+    }).populate("workspace");
     
     return res.status(200).send({
-        serviceAccountWorkspacePermissions
+        serviceAccountWorkspacePermissions,
     });
 }
 
@@ -182,34 +182,34 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
         read = false,
         write = false,
         encryptedKey,
-        nonce
+        nonce,
     } = req.body;
     
     if (!req.membership.workspace.environments.some((e: { name: string; slug: string }) => e.slug === environment)) {
         return res.status(400).send({
-            message: 'Failed to validate workspace environment'
+            message: "Failed to validate workspace environment",
         });
     }
     
     const existingPermission = await ServiceAccountWorkspacePermission.findOne({
         serviceAccount: new Types.ObjectId(serviceAccountId),
         workspace: new Types.ObjectId(workspaceId),
-        environment
+        environment,
     });
     
-    if (existingPermission) throw BadRequestError({ message: 'Failed to add workspace permission to service account due to already-existing ' });
+    if (existingPermission) throw BadRequestError({ message: "Failed to add workspace permission to service account due to already-existing " });
 
     const serviceAccountWorkspacePermission = await new ServiceAccountWorkspacePermission({
         serviceAccount: new Types.ObjectId(serviceAccountId),
         workspace: new Types.ObjectId(workspaceId),
         environment,
         read,
-        write
+        write,
     }).save();
     
     const existingServiceAccountKey = await ServiceAccountKey.findOne({
         serviceAccount: new Types.ObjectId(serviceAccountId),
-        workspace: new Types.ObjectId(workspaceId) 
+        workspace: new Types.ObjectId(workspaceId), 
     });
     
     if (!existingServiceAccountKey) {
@@ -218,12 +218,12 @@ export const addServiceAccountWorkspacePermission = async (req: Request, res: Re
             nonce,
             sender: req.user._id,
             serviceAccount: new Types.ObjectId(serviceAccountId),
-            workspace: new Types.ObjectId(workspaceId)
+            workspace: new Types.ObjectId(workspaceId),
         }).save();
     }
 
     return res.status(200).send({
-        serviceAccountWorkspacePermission
+        serviceAccountWorkspacePermission,
     });
 }
 
@@ -240,19 +240,19 @@ export const deleteServiceAccountWorkspacePermission = async (req: Request, res:
         const { serviceAccount, workspace } = serviceAccountWorkspacePermission;
         const count = await ServiceAccountWorkspacePermission.countDocuments({
             serviceAccount,
-            workspace
+            workspace,
         });
         
         if (count === 0) {
             await ServiceAccountKey.findOneAndDelete({
                 serviceAccount,
-                workspace
+                workspace,
             });
         }
     }
 
     return res.status(200).send({
-        serviceAccountWorkspacePermission
+        serviceAccountWorkspacePermission,
     });
 }
 
@@ -269,20 +269,20 @@ export const deleteServiceAccount = async (req: Request, res: Response) => {
 
     if (serviceAccount) {
         await ServiceAccountKey.deleteMany({
-            serviceAccount: serviceAccount._id
+            serviceAccount: serviceAccount._id,
         });
 
         await ServiceAccountOrganizationPermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
+            serviceAccount: new Types.ObjectId(serviceAccountId),
         });
 
         await ServiceAccountWorkspacePermission.deleteMany({
-            serviceAccount: new Types.ObjectId(serviceAccountId)
+            serviceAccount: new Types.ObjectId(serviceAccountId),
         });
     }
 
     return res.status(200).send({
-        serviceAccount
+        serviceAccount,
     });
 }
 
@@ -297,10 +297,10 @@ export const getServiceAccountKeys = async (req: Request, res: Response) => {
     
     const serviceAccountKeys = await ServiceAccountKey.find({
         serviceAccount: req.serviceAccount._id,
-        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {})
+        ...(workspaceId ? { workspace: new Types.ObjectId(workspaceId) } : {}),
     });
     
     return res.status(200).send({
-        serviceAccountKeys
+        serviceAccountKeys,
     });
 }

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,30 +1,21 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
-import {
-    User,
-    ServiceAccount,
-    ServiceTokenData
-} from '../../models';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { 
-    PERMISSION_READ_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN
-} from '../../variables';
-import { getSaltRounds } from '../../config';
-import { BadRequestError } from '../../utils/errors';
+import { Request, Response } from "express";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
+import { ServiceAccount, ServiceTokenData, User } from "../../models";
+import { AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT } from "../../variables";
+import { getSaltRounds } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
 
 /**
  * Return service token data associated with service token on request
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getServiceTokenData = async (req: Request, res: Response) => {
-    /* 
+  /* 
     #swagger.summary = 'Return Infisical Token data'
     #swagger.description = 'Return Infisical Token data'
     
@@ -37,111 +28,106 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
             "application/json": {
                 "schema": { 
                     "type": "object",
-					"properties": {
+          "properties": {
                         "serviceTokenData": {
                             "type": "object",
                             $ref: "#/components/schemas/ServiceTokenData",
                             "description": "Details of service token"
                         }
-					}
+          }
                 }
             }           
         }
     }   
     */
 
-    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
-        message: 'Failed accepted client validation for service token data'
+  if (!(req.authData.authPayload instanceof ServiceTokenData))
+    throw BadRequestError({
+      message: "Failed accepted client validation for service token data"
     });
 
-    const serviceTokenData = await ServiceTokenData
-        .findById(req.authData.authPayload._id)
-        .select('+encryptedKey +iv +tag')
-        .populate('user');
+  const serviceTokenData = await ServiceTokenData.findById(req.authData.authPayload._id)
+    .select("+encryptedKey +iv +tag")
+    .populate("user")
+    .lean();
 
-    return res.status(200).json(serviceTokenData);
-}
+  return res.status(200).json(serviceTokenData);
+};
 
 /**
  * Create new service token data for workspace with id [workspaceId] and
  * environment [environment].
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
+  let serviceTokenData;
 
-    const {
-        name,
-        workspaceId,
-        environment,
-        encryptedKey,
-        iv,
-        tag,
-        expiresIn,
-        permissions
-    } = req.body;
+  const { name, workspaceId, encryptedKey, iv, tag, expiresIn, permissions, scopes } = req.body;
 
-    const secret = crypto.randomBytes(16).toString('hex');
-    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+  const secret = crypto.randomBytes(16).toString("hex");
+  const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 
-    let expiresAt; 
-    if (expiresIn) {
-        expiresAt = new Date()
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-    }
+  let expiresAt;
+  if (expiresIn) {
+    expiresAt = new Date();
+    expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+  }
 
-    let user, serviceAccount;
-    
-    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
-        user = req.authData.authPayload._id;
-    }
+  let user, serviceAccount;
 
-    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
-        serviceAccount = req.authData.authPayload._id;
-    }
-        
-    serviceTokenData = await new ServiceTokenData({
-        name,
-        workspace: workspaceId,
-        environment,
-        user,
-        serviceAccount,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash,
-        encryptedKey,
-        iv,
-        tag,
-        permissions
-    }).save();
+  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
+    user = req.authData.authPayload._id;
+  }
 
-    // return service token data without sensitive data
-    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+  if (
+    req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
+    req.authData.authPayload instanceof ServiceAccount
+  ) {
+    serviceAccount = req.authData.authPayload._id;
+  }
 
-    if (!serviceTokenData) throw new Error('Failed to find service token data');
+  serviceTokenData = await new ServiceTokenData({
+    name,
+    workspace: workspaceId,
+    user,
+    serviceAccount,
+    scopes,
+    lastUsed: new Date(),
+    expiresAt,
+    secretHash,
+    encryptedKey,
+    iv,
+    tag,
+    permissions
+  }).save();
 
-    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+  // return service token data without sensitive data
+  serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
 
-    return res.status(200).send({
-        serviceToken,
-        serviceTokenData
-    });
-}
+  if (!serviceTokenData) throw new Error("Failed to find service token data");
+
+  const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
+  return res.status(200).send({
+    serviceToken,
+    serviceTokenData
+  });
+};
 
 /**
  * Delete service token data with id [serviceTokenDataId].
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    const { serviceTokenDataId } = req.params;
+  const { serviceTokenDataId } = req.params;
 
-    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+  const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
 
-    return res.status(200).send({
-        serviceTokenData
-    });
-}
+  return res.status(200).send({
+    serviceTokenData
+  });
+};

backend/src/controllers/v2/signupController.ts

@@ -1,15 +1,14 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import { Request, Response } from "express";
+import { MembershipOrg, User } from "../../models";
+import { completeAccount } from "../../helpers/user";
 import {
-	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueAuthTokens } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import { standardRequest } from '../../config/request';
-import { getLoopsApiKey, getHttpsEnabled } from '../../config';
-import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+	initializeDefaultOrg,
+} from "../../helpers/signup";
+import { issueAuthTokens } from "../../helpers/auth";
+import { ACCEPTED, INVITED } from "../../variables";
+import { standardRequest } from "../../config/request";
+import { getHttpsEnabled, getLoopsApiKey } from "../../config";
+import { updateSubscriptionOrgQuantity } from "../../helpers/organization";
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -20,141 +19,135 @@ import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
  */
 export const completeAccountSignup = async (req: Request, res: Response) => {
 	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier,
-			organizationName
-		}: {
-			email: string;
-			firstName: string;
-			lastName: string;
-			protectedKey: string;
-			protectedKeyIV: string;
-			protectedKeyTag: string;
-			publicKey: string;
-			encryptedPrivateKey: string;
-			encryptedPrivateKeyIV: string;
-			encryptedPrivateKeyTag: string;
-			salt: string;
-			verifier: string;
-			organizationName: string;
-		} = req.body;
+  const {
+    email,
+    firstName,
+    lastName,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier,
+    organizationName,
+  }: {
+    email: string;
+    firstName: string;
+    lastName: string;
+    protectedKey: string;
+    protectedKeyIV: string;
+    protectedKeyTag: string;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    encryptedPrivateKeyIV: string;
+    encryptedPrivateKeyTag: string;
+    salt: string;
+    verifier: string;
+    organizationName: string;
+  } = req.body;
 
-		// get user
-		user = await User.findOne({ email });
+  // get user
+  user = await User.findOne({ email });
 
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
+  if (!user || (user && user?.publicKey)) {
+    // case 1: user doesn't exist.
+    // case 2: user has already completed account
+    return res.status(403).send({
+      error: "Failed to complete account for complete user",
+    });
+  }
 
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		});
+  // complete setting up user's account
+  user = await completeAccount({
+    userId: user._id.toString(),
+    firstName,
+    lastName,
+    encryptionVersion: 2,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier,
+  });
 
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+  if (!user)
+    throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null
 
-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user
-		});
+  // initialize default organization and workspace
+  await initializeDefaultOrg({
+    organizationName,
+    user,
+  });
 
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		const membershipsToUpdate = await MembershipOrg.find({
-			inviteEmail: email,
-			status: INVITED
-		});
-		
-		membershipsToUpdate.forEach(async (membership) => {
-			await updateSubscriptionOrgQuantity({
-				organizationId: membership.organization.toString()
-			});
-		});
+  // update organization membership statuses that are
+  // invited to completed with user attached
+  const membershipsToUpdate = await MembershipOrg.find({
+    inviteEmail: email,
+    status: INVITED,
+  });
+  
+  membershipsToUpdate.forEach(async (membership) => {
+    await updateSubscriptionOrgQuantity({
+      organizationId: membership.organization.toString(),
+    });
+  });
 
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
+  // update organization membership statuses that are
+  // invited to completed with user attached
+  await MembershipOrg.updateMany(
+    {
+      inviteEmail: email,
+      status: INVITED,
+    },
+    {
+      user,
+      status: ACCEPTED,
+    }
+  );
 
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
-		});
+  // issue tokens
+  const tokens = await issueAuthTokens({
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? "",
+  });
 
-		token = tokens.token;
+  token = tokens.token;
 
-		// sending a welcome email to new users
-		if (await getLoopsApiKey()) {
-			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + (await getLoopsApiKey())
-				},
-			});
-		}
+  // sending a welcome email to new users
+  if (await getLoopsApiKey()) {
+    await standardRequest.post("https://app.loops.so/api/v1/events/send", {
+      "email": email,
+      "eventName": "Sign Up",
+      "firstName": firstName,
+      "lastName": lastName,
+    }, {
+      headers: {
+        "Accept": "application/json",
+        "Authorization": "Bearer " + (await getLoopsApiKey()),
+      },
+    });
+  }
 
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: await getHttpsEnabled()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
+  // store (refresh) token in httpOnly cookie
+  res.cookie("jid", tokens.refreshToken, {
+    httpOnly: true,
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
+  });
 
 	return res.status(200).send({
-		message: 'Successfully set up account',
+		message: "Successfully set up account",
 		user,
-		token
+		token,
 	});
 };
 
@@ -167,109 +160,103 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
  */
 export const completeAccountInvite = async (req: Request, res: Response) => {
 	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
+  const {
+    email,
+    firstName,
+    lastName,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier,
+  } = req.body;
 
-		// get user
-		user = await User.findOne({ email });
+  // get user
+  user = await User.findOne({ email });
 
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
+  if (!user || (user && user?.publicKey)) {
+    // case 1: user doesn't exist.
+    // case 2: user has already completed account
+    return res.status(403).send({
+      error: "Failed to complete account for complete user",
+    });
+  }
 
-		const membershipOrg = await MembershipOrg.findOne({
-			inviteEmail: email,
-			status: INVITED
-		});
+  const membershipOrg = await MembershipOrg.findOne({
+    inviteEmail: email,
+    status: INVITED,
+  });
 
-		if (!membershipOrg) throw new Error('Failed to find invitations for email');
+  if (!membershipOrg) throw new Error("Failed to find invitations for email");
 
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		});
+  // complete setting up user's account
+  user = await completeAccount({
+    userId: user._id.toString(),
+    firstName,
+    lastName,
+    encryptionVersion: 2,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier,
+  });
 
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user');
-		
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		const membershipsToUpdate = await MembershipOrg.find({
-			inviteEmail: email,
-			status: INVITED
-		});
-		
-		membershipsToUpdate.forEach(async (membership) => {
-			await updateSubscriptionOrgQuantity({
-				organizationId: membership.organization.toString()
-			});
-		});
+  if (!user)
+    throw new Error("Failed to complete account for non-existent user");
+  
+  // update organization membership statuses that are
+  // invited to completed with user attached
+  const membershipsToUpdate = await MembershipOrg.find({
+    inviteEmail: email,
+    status: INVITED,
+  });
+  
+  membershipsToUpdate.forEach(async (membership) => {
+    await updateSubscriptionOrgQuantity({
+      organizationId: membership.organization.toString(),
+    });
+  });
 
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
+  await MembershipOrg.updateMany(
+    {
+      inviteEmail: email,
+      status: INVITED,
+    },
+    {
+      user,
+      status: ACCEPTED,
+    }
+  );
 
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
-		});
+  // issue tokens
+  const tokens = await issueAuthTokens({
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers["user-agent"] ?? "",
+  });
 
-		token = tokens.token;
+  token = tokens.token;
 
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: await getHttpsEnabled()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
+  // store (refresh) token in httpOnly cookie
+  res.cookie("jid", tokens.refreshToken, {
+    httpOnly: true,
+    path: "/",
+    sameSite: "strict",
+    secure: await getHttpsEnabled(),
+  });
 
 	return res.status(200).send({
-		message: 'Successfully set up account',
+		message: "Successfully set up account",
 		user,
-		token
+		token,
 	});
-};
+};

backend/src/controllers/v2/tagController.ts

@@ -1,72 +1,59 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import {
-	Membership, Secret,
-} from '../../models';
-import Tag, { ITag } from '../../models/tag';
-import { Builder } from "builder-pattern"
-import to from 'await-to-js';
-import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
-import { MongoError } from 'mongodb';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Membership, Secret } from "../../models";
+import Tag from "../../models/tag";
+import { BadRequestError, UnauthorizedRequestError } from "../../utils/errors";
 
 export const createWorkspaceTag = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const { name, slug } = req.body
-	const sanitizedTagToCreate = Builder<ITag>()
-		.name(name)
-		.workspace(new Types.ObjectId(workspaceId))
-		.slug(slug)
-		.user(new Types.ObjectId(req.user._id))
-		.build();
-
-	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
-
-	if (err) {
-		if ((err as MongoError).code === 11000) {
-			throw BadRequestError({ message: "Tags must be unique in a workspace" })
-		}
-
-		throw err
-	}
-
-	res.json(createdTag)
-}
+  const { workspaceId } = req.params;
+  const { name, slug } = req.body;
+  
+  const tagToCreate = {
+      name,
+      workspace: new Types.ObjectId(workspaceId),
+      slug,
+      user: new Types.ObjectId(req.user._id),
+    };
+  
+  const createdTag = await new Tag(tagToCreate).save();
+  
+  res.json(createdTag);
+};
 
 export const deleteWorkspaceTag = async (req: Request, res: Response) => {
-	const { tagId } = req.params
+  const { tagId } = req.params;
 
-	const tagFromDB = await Tag.findById(tagId)
-	if (!tagFromDB) {
-		throw BadRequestError()
-	}
+  const tagFromDB = await Tag.findById(tagId);
+  if (!tagFromDB) {
+    throw BadRequestError();
+  }
 
-	// can only delete if the request user is one that belongs to the same workspace as the tag
-	const membership = await Membership.findOne({
-		user: req.user,
-		workspace: tagFromDB.workspace
-	});
+  // can only delete if the request user is one that belongs to the same workspace as the tag
+  const membership = await Membership.findOne({
+    user: req.user,
+    workspace: tagFromDB.workspace
+  });
 
-	if (!membership) {
-		UnauthorizedRequestError({ message: 'Failed to validate membership' });
-	}
+  if (!membership) {
+    UnauthorizedRequestError({ message: "Failed to validate membership" });
+  }
 
-	const result = await Tag.findByIdAndDelete(tagId);
+  const result = await Tag.findByIdAndDelete(tagId);
 
-	// remove the tag from secrets
-	await Secret.updateMany(
-		{ tags: { $in: [tagId] } },
-		{ $pull: { tags: tagId } }
-	);
+  // remove the tag from secrets
+  await Secret.updateMany({ tags: { $in: [tagId] } }, { $pull: { tags: tagId } });
 
-	res.json(result);
-}
+  res.json(result);
+};
 
 export const getWorkspaceTags = async (req: Request, res: Response) => {
-	const { workspaceId } = req.params
-	const workspaceTags = await Tag.find({ workspace: workspaceId })
-	return res.json({
-		workspaceTags
-	})
-}
+  const { workspaceId } = req.params;
+  
+  const workspaceTags = await Tag.find({ 
+    workspace: new Types.ObjectId(workspaceId) 
+  });
+  
+  return res.json({
+    workspaceTags
+  });
+};

backend/src/controllers/v2/usersController.ts

@@ -1,9 +1,14 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
 import {
+    MembershipOrg,
     User,
-    MembershipOrg
-} from '../../models';
+    APIKeyData,
+    TokenVersion
+} from "../../models";
+import { getSaltRounds } from "../../config";
 
 /**
  * Return the current user.
@@ -37,21 +42,12 @@ export const getMe = async (req: Request, res: Response) => {
         }
     }   
     */
-    let user;
-    try {
-        user = await User
-            .findById(req.user._id)
-            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get current user'
-		});
-    }
+    const user = await User
+        .findById(req.user._id)
+        .select("+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag");
     
     return res.status(200).send({
-        user
+        user,
     });
 }
 
@@ -64,32 +60,23 @@ export const getMe = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateMyMfaEnabled = async (req: Request, res: Response) => {
-    let user;
-    try {
-        const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
-        req.user.isMfaEnabled = isMfaEnabled;
-        
-        if (isMfaEnabled) { 
-            // TODO: adapt this route/controller 
-            // to work for different forms of MFA
-            req.user.mfaMethods = ['email'];
-        } else {
-            req.user.mfaMethods = [];
-        }
-
-        await req.user.save();
-        
-        user = req.user;
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to update current user's MFA status"
-		}); 
+    const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
+    req.user.isMfaEnabled = isMfaEnabled;
+    
+    if (isMfaEnabled) { 
+        // TODO: adapt this route/controller 
+        // to work for different forms of MFA
+        req.user.mfaMethods = ["email"];
+    } else {
+        req.user.mfaMethods = [];
     }
+
+    await req.user.save();
+    
+    const user = req.user;
     
     return res.status(200).send({
-        user
+        user,
     });
 }
 
@@ -126,22 +113,116 @@ export const getMyOrganizations = async (req: Request, res: Response) => {
         }
     }   
     */
-	let organizations;
-	try {
-		organizations = (
-			await MembershipOrg.find({
-				user: req.user._id
-			}).populate('organization')
-		).map((m) => m.organization);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get current user's organizations"
-		});
-	}
+  const organizations = (
+    await MembershipOrg.find({
+      user: req.user._id,
+    }).populate("organization")
+  ).map((m) => m.organization);
 
 	return res.status(200).send({
-		organizations
+		organizations,
 	});
+}
+
+/**
+ * Return API keys belonging to current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMyAPIKeys = async (req: Request, res: Response) => {
+    const apiKeyData = await APIKeyData.find({
+		user: req.user._id,
+	});
+
+	return res.status(200).send(apiKeyData);
+}
+
+/**
+ * Create new API key for current user.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createAPIKey = async (req: Request, res: Response) => {
+	const { name, expiresIn } = req.body;
+
+	const secret = crypto.randomBytes(16).toString("hex");
+	const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+
+	const expiresAt = new Date();
+	expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+
+	let apiKeyData = await new APIKeyData({
+		name,
+		lastUsed: new Date(),
+		expiresAt,
+		user: req.user._id,
+		secretHash,
+	}).save();
+
+	// return api key data without sensitive data
+	apiKeyData = (await APIKeyData.findById(apiKeyData._id)) as any;
+
+	if (!apiKeyData) throw new Error("Failed to find API key data");
+
+	const apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
+
+	return res.status(200).send({
+		apiKey,
+		apiKeyData,
+	});
+}
+
+/**
+ * Delete API key with id [apiKeyDataId] belonging to current user
+ * @param req 
+ * @param res 
+ */
+export const deleteAPIKey = async (req: Request, res: Response) => {
+    const { apiKeyDataId } = req.params;
+
+    const apiKeyData = await APIKeyData.findOneAndDelete({
+        _id: new Types.ObjectId(apiKeyDataId),
+        user: req.user._id
+    });
+
+	return res.status(200).send({
+		apiKeyData
+	});
+}
+
+/**
+ * Return active sessions (TokenVersion) belonging to user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getMySessions = async (req: Request, res: Response) => {
+    const tokenVersions = await TokenVersion.find({
+        user: req.user._id
+    });
+    
+    return res.status(200).send(tokenVersions);
+}
+
+/**
+ * Revoke all active sessions belong to user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteMySessions = async (req: Request, res: Response) => {
+    await TokenVersion.updateMany({
+        user: req.user._id,
+    }, {
+        $inc: {
+            refreshVersion: 1,
+            accessVersion: 1,
+        },
+    });
+
+    return res.status(200).send({
+        message: "Successfully revoked all sessions"
+    });
 }

backend/src/controllers/v2/workspaceController.ts

@@ -1,26 +1,19 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
 import {
-	Workspace,
-	Secret,
-	Membership,
-	MembershipOrg,
-	Integration,
-	IntegrationAuth,
 	Key,
-	IUser,
-	ServiceToken,
-	ServiceTokenData
-} from '../../models';
+	Membership,
+	ServiceTokenData,
+	Workspace,
+} from "../../models";
 import {
-	v2PushSecrets as push,
 	pullSecrets as pull,
-	reformatPullSecrets
-} from '../../helpers/secret';
-import { pushKeys } from '../../helpers/key';
-import { TelemetryService, EventService } from '../../services';
-import { eventPushSecrets } from '../../events';
+	v2PushSecrets as push,
+	reformatPullSecrets,
+} from "../../helpers/secret";
+import { pushKeys } from "../../helpers/key";
+import { EventService, TelemetryService } from "../../services";
+import { eventPushSecrets } from "../../events";
 
 interface V2PushSecret {
 	type: string; // personal or shared
@@ -47,69 +40,60 @@ interface V2PushSecret {
  */
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		let { secrets }: { secrets: V2PushSecret[] } = req.body;
-		const { keys, environment, channel } = req.body;
-		const { workspaceId } = req.params;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  let { secrets }: { secrets: V2PushSecret[] } = req.body;
+  const { keys, environment, channel } = req.body;
+  const { workspaceId } = req.params;
 
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }
 
-		// sanitize secrets
-		secrets = secrets.filter(
-			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
-		);
+  // sanitize secrets
+  secrets = secrets.filter(
+    (s: V2PushSecret) => s.secretKeyCiphertext !== "" && s.secretValueCiphertext !== ""
+  );
 
-		await push({
-			userId: req.user._id,
-			workspaceId,
-			environment,
-			secrets,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
+  await push({
+    userId: req.user._id,
+    workspaceId,
+    environment,
+    secrets,
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP,
+  });
 
-		await pushKeys({
-			userId: req.user._id,
-			workspaceId,
-			keys
-		});
+  await pushKeys({
+    userId: req.user._id,
+    workspaceId,
+    keys,
+  });
 
-		if (postHogClient) {
-			postHogClient.capture({
-				event: 'secrets pushed',
-				distinctId: req.user.email,
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
+  if (postHogClient) {
+    postHogClient.capture({
+      event: "secrets pushed",
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli",
+      },
+    });
+  }
 
-		// trigger event - push secrets
-		EventService.handleEvent({
-			event: eventPushSecrets({
-				workspaceId: new Types.ObjectId(workspaceId),
-				environment
-			})
-		});
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload workspace secrets'
-		});
-	}
+  // trigger event - push secrets
+  EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
 
 	return res.status(200).send({
-		message: 'Successfully uploaded workspace secrets'
+		message: "Successfully uploaded workspace secrets",
 	});
 };
 
@@ -122,59 +106,51 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
  */
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		const environment: string = req.query.environment as string;
-		const channel: string = req.query.channel as string;
-		const { workspaceId } = req.params;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const environment: string = req.query.environment as string;
+  const channel: string = req.query.channel as string;
+  const { workspaceId } = req.params;
 
-		let userId;
-		if (req.user) {
-			userId = req.user._id.toString();
-		} else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user.toString();
-		}
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+  let userId;
+  if (req.user) {
+    userId = req.user._id.toString();
+  } else if (req.serviceTokenData) {
+    userId = req.serviceTokenData.user.toString();
+  }
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error("Failed to validate environment");
+  }
 
-		secrets = await pull({
-			userId,
-			workspaceId,
-			environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
+  secrets = await pull({
+    userId,
+    workspaceId,
+    environment,
+    channel: channel ? channel : "cli",
+    ipAddress: req.realIP,
+  });
 
-		if (channel !== 'cli') {
-			secrets = reformatPullSecrets({ secrets });
-		}
+  if (channel !== "cli") {
+    secrets = reformatPullSecrets({ secrets });
+  }
 
-		if (postHogClient) {
-			// capture secrets pushed event in production
-			postHogClient.capture({
-				distinctId: req.user.email,
-				event: 'secrets pulled',
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
+  if (postHogClient) {
+    // capture secrets pushed event in production
+    postHogClient.capture({
+      distinctId: req.user.email,
+      event: "secrets pulled",
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : "cli",
+      },
+    });
+  }
 
 	return res.status(200).send({
-		secrets
+		secrets,
 	});
 };
 
@@ -208,22 +184,14 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
     }   
     */
 	let key;
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-		key = await Key.findOne({
-			workspace: workspaceId,
-			receiver: req.user._id
-		}).populate('sender', '+publicKey');
+  key = await Key.findOne({
+    workspace: workspaceId,
+    receiver: req.user._id,
+  }).populate("sender", "+publicKey");
 
-		if (!key) throw new Error('Failed to find workspace key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace key'
-		});
-	}
+  if (!key) throw new Error("Failed to find workspace key");
 
 	return res.status(200).json(key);
 }
@@ -231,26 +199,16 @@ export const getWorkspaceServiceTokenData = async (
 	req: Request,
 	res: Response
 ) => {
-	let serviceTokenData;
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-		serviceTokenData = await ServiceTokenData
-			.find({
-				workspace: workspaceId
-			})
-			.select('+encryptedKey +iv +tag');
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace service token data'
-		});
-	}
+  const serviceTokenData = await ServiceTokenData
+    .find({
+      workspace: workspaceId,
+    })
+    .select("+encryptedKey +iv +tag");
 
 	return res.status(200).send({
-		serviceTokenData
+		serviceTokenData,
 	});
 }
 
@@ -294,23 +252,14 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
         }
     }   
     */
-	let memberships;
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-		memberships = await Membership.find({
-			workspace: workspaceId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace memberships'
-		});
-	}
+  const memberships = await Membership.find({
+    workspace: workspaceId,
+  }).populate("user", "+publicKey");
 
 	return res.status(200).send({
-		memberships
+		memberships,
 	});
 }
 
@@ -374,31 +323,22 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
         }
     }   
     */
-	let membership;
-	try {
-		const {
-			membershipId
-		} = req.params;
-		const { role } = req.body;
-		
-		membership = await Membership.findByIdAndUpdate(
-			membershipId,
-			{
-				role
-			}, {
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update workspace membership'
-		});
-	}
-	
+  const {
+    membershipId,
+  } = req.params;
+  const { role } = req.body;
+  
+  const membership = await Membership.findByIdAndUpdate(
+    membershipId,
+    {
+      role,
+    }, {
+      new: true,
+    }
+  );
+
 	return res.status(200).send({
-		membership
+		membership,
 	}); 
 }
 
@@ -445,30 +385,21 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
         }
     }   
     */
-	let membership;
-	try {
-		const { 
-			membershipId
-		} = req.params;
-		
-		membership = await Membership.findByIdAndDelete(membershipId);
-		
-		if (!membership) throw new Error('Failed to delete workspace membership');
-		
-		await Key.deleteMany({
-			receiver: membership.user,
-			workspace: membership.workspace
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete workspace membership'
-		});	
-	}
+  const { 
+    membershipId,
+  } = req.params;
+  
+  const membership = await Membership.findByIdAndDelete(membershipId);
+  
+  if (!membership) throw new Error("Failed to delete workspace membership");
+  
+  await Key.deleteMany({
+    receiver: membership.user,
+    workspace: membership.workspace,
+  });
 	
 	return res.status(200).send({
-		membership
+		membership,
 	});
 }
 
@@ -479,32 +410,23 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
  * @returns
  */
 export const toggleAutoCapitalization = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
-		const { autoCapitalization } = req.body;
+  const { workspaceId } = req.params;
+  const { autoCapitalization } = req.body;
 
-		workspace = await Workspace.findOneAndUpdate(
-			{
-				_id: workspaceId
-			},
-			{
-				autoCapitalization
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change autoCapitalization setting'
-		});
-	}
+  const workspace = await Workspace.findOneAndUpdate(
+    {
+      _id: workspaceId,
+    },
+    {
+      autoCapitalization,
+    },
+    {
+      new: true,
+    }
+  );
 
 	return res.status(200).send({
-		message: 'Successfully changed autoCapitalization setting',
-		workspace
+		message: "Successfully changed autoCapitalization setting",
+		workspace,
 	});
-};
+};

backend/src/controllers/v3/authController.ts

@@ -1,29 +1,29 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
-import { Request, Response } from 'express';
-import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
-import * as bigintConversion from 'bigint-conversion';
-const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
-import { issueAuthTokens, createToken, validateProviderAuthToken } from '../../helpers/auth';
-import { checkUserDevice } from '../../helpers/user';
-import { sendMail } from '../../helpers/nodemailer';
-import { TokenService } from '../../services';
-import { EELogService } from '../../ee/services';
-import { BadRequestError, InternalServerError } from '../../utils/errors';
+import { Request, Response } from "express";
+import jwt from "jsonwebtoken";
+import * as Sentry from "@sentry/node";
+import * as bigintConversion from "bigint-conversion";
+const jsrp = require("jsrp");
+import { LoginSRPDetail, User } from "../../models";
+import { createToken, issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
+import { checkUserDevice } from "../../helpers/user";
+import { sendMail } from "../../helpers/nodemailer";
+import { TokenService } from "../../services";
+import { EELogService } from "../../ee/services";
+import { BadRequestError, InternalServerError } from "../../utils/errors";
 import {
+    ACTION_LOGIN,
     TOKEN_EMAIL_MFA,
-    ACTION_LOGIN
-} from '../../variables';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+} from "../../variables";
+import { getChannelFromUserAgent } from "../../utils/posthog"; // TODO: move this
 import {
+    getHttpsEnabled,
     getJwtMfaLifetime,
     getJwtMfaSecret,
-    getHttpsEnabled,
-} from '../../config';
-import { AuthProvider } from '../../models/user';
+} from "../../config";
+import { AuthProvider } from "../../models/user";
 
-declare module 'jsonwebtoken' {
+declare module "jsonwebtoken" {
     export interface ProviderAuthJwtPayload extends jwt.JwtPayload {
         userId: string;
         email: string;
@@ -43,7 +43,7 @@ export const login1 = async (req: Request, res: Response) => {
         const {
             email,
             providerAuthToken,
-            clientPublicKey
+            clientPublicKey,
         }: {
             email: string;
             clientPublicKey: string,
@@ -52,9 +52,9 @@ export const login1 = async (req: Request, res: Response) => {
 
         const user = await User.findOne({
             email,
-        }).select('+salt +verifier');
+        }).select("+salt +verifier");
 
-        if (!user) throw new Error('Failed to find user');
+        if (!user) throw new Error("Failed to find user");
 
         if (user.authProvider) {
             await validateProviderAuthToken({
@@ -68,13 +68,13 @@ export const login1 = async (req: Request, res: Response) => {
         server.init(
             {
                 salt: user.salt,
-                verifier: user.verifier
+                verifier: user.verifier,
             },
             async () => {
                 // generate server-side public key
                 const serverPublicKey = server.getPublicKey();
                 await LoginSRPDetail.findOneAndReplace({
-                    email: email
+                    email: email,
                 }, {
                     email,
                     userId: user.id,
@@ -84,7 +84,7 @@ export const login1 = async (req: Request, res: Response) => {
 
                 return res.status(200).send({
                     serverPublicKey,
-                    salt: user.salt
+                    salt: user.salt,
                 });
             }
         );
@@ -92,7 +92,7 @@ export const login1 = async (req: Request, res: Response) => {
         Sentry.setUser(null);
         Sentry.captureException(err);
         return res.status(400).send({
-            message: 'Failed to start authentication process'
+            message: "Failed to start authentication process",
         });
     }
 };
@@ -107,15 +107,15 @@ export const login1 = async (req: Request, res: Response) => {
 export const login2 = async (req: Request, res: Response) => {
     try {
 
-        if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+        if (!req.headers["user-agent"]) throw InternalServerError({ message: "User-Agent header is required" });
 
         const { email, clientProof, providerAuthToken } = req.body;
 
         const user = await User.findOne({
             email,
-        }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+        }).select("+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices");
 
-        if (!user) throw new Error('Failed to find user');
+        if (!user) throw new Error("Failed to find user");
 
         if (user.authProvider) {
             await validateProviderAuthToken({
@@ -136,7 +136,7 @@ export const login2 = async (req: Request, res: Response) => {
             {
                 salt: user.salt,
                 verifier: user.verifier,
-                b: loginSRPDetail.serverBInt
+                b: loginSRPDetail.serverBInt,
             },
             async () => {
                 server.setClientPublicKey(loginSRPDetail.clientPublicKey);
@@ -150,48 +150,52 @@ export const login2 = async (req: Request, res: Response) => {
                         // generate temporary MFA token
                         const token = createToken({
                             payload: {
-                                userId: user._id.toString()
+                                userId: user._id.toString(),
                             },
                             expiresIn: await getJwtMfaLifetime(),
-                            secret: await getJwtMfaSecret()
+                            secret: await getJwtMfaSecret(),
                         });
 
                         const code = await TokenService.createToken({
                             type: TOKEN_EMAIL_MFA,
-                            email
+                            email,
                         });
 
                         // send MFA code [code] to [email]
                         await sendMail({
-                            template: 'emailMfa.handlebars',
-                            subjectLine: 'Infisical MFA code',
+                            template: "emailMfa.handlebars",
+                            subjectLine: "Infisical MFA code",
                             recipients: [user.email],
                             substitutions: {
-                                code
-                            }
+                                code,
+                            },
                         });
 
                         return res.status(200).send({
                             mfaEnabled: true,
-                            token
+                            token,
                         });
                     }
 
                     await checkUserDevice({
                         user,
-                        ip: req.ip,
-                        userAgent: req.headers['user-agent'] ?? ''
+                        ip: req.realIP,
+                        userAgent: req.headers["user-agent"] ?? "",
                     });
 
                     // issue tokens
-                    const tokens = await issueAuthTokens({ userId: user._id.toString() });
+                    const tokens = await issueAuthTokens({ 
+                        userId: user._id,
+                        ip: req.realIP,
+                        userAgent: req.headers["user-agent"] ?? "",
+                    });
 
                     // store (refresh) token in httpOnly cookie
-                    res.cookie('jid', tokens.refreshToken, {
+                    res.cookie("jid", tokens.refreshToken, {
                         httpOnly: true,
-                        path: '/',
-                        sameSite: 'strict',
-                        secure: await getHttpsEnabled()
+                        path: "/",
+                        sameSite: "strict",
+                        secure: await getHttpsEnabled(),
                     });
 
                     // case: user does not have MFA enablgged
@@ -217,7 +221,7 @@ export const login2 = async (req: Request, res: Response) => {
                         publicKey: user.publicKey,
                         encryptedPrivateKey: user.encryptedPrivateKey,
                         iv: user.iv,
-                        tag: user.tag
+                        tag: user.tag,
                     }
 
                     if (
@@ -232,21 +236,21 @@ export const login2 = async (req: Request, res: Response) => {
 
                     const loginAction = await EELogService.createAction({
                         name: ACTION_LOGIN,
-                        userId: user._id
+                        userId: user._id,
                     });
 
                     loginAction && await EELogService.createLog({
                         userId: user._id,
                         actions: [loginAction],
-                        channel: getChannelFromUserAgent(req.headers['user-agent']),
-                        ipAddress: req.ip
+                        channel: getChannelFromUserAgent(req.headers["user-agent"]),
+                        ipAddress: req.realIP,
                     });
 
                     return res.status(200).send(response);
                 }
 
                 return res.status(400).send({
-                    message: 'Failed to authenticate. Try again?'
+                    message: "Failed to authenticate. Try again?",
                 });
             }
         );
@@ -254,7 +258,7 @@ export const login2 = async (req: Request, res: Response) => {
         Sentry.setUser(null);
         Sentry.captureException(err);
         return res.status(400).send({
-            message: 'Failed to authenticate. Try again?'
+            message: "Failed to authenticate. Try again?",
         });
     }
 };

backend/src/controllers/v3/index.ts

@@ -1,7 +1,7 @@
-import * as secretsController from './secretsController';
-import * as workspacesController from './workspacesController';
-import * as authController from './authController';
-import * as signupController from './signupController';
+import * as secretsController from "./secretsController";
+import * as workspacesController from "./workspacesController";
+import * as authController from "./authController";
+import * as signupController from "./signupController";
 
 export {
     authController,

backend/src/controllers/v3/secretsController.ts

@@ -1,183 +1,420 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { 
-    SecretService, 
-    TelemetryService,
-    EventService
-} from '../../services';
-import { eventPushSecrets } from '../../events';
-import { getAuthDataPayloadIdObj } from '../../utils/auth';
-import { BadRequestError } from '../../utils/errors';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { EventService, SecretService } from "../../services";
+import { eventPushSecrets } from "../../events";
+import { BotService } from "../../services";
+import { repackageSecretToRaw } from "../../helpers/secrets";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
 
 /**
- * Get secrets for workspace with id [workspaceId] and environment
- * [environment]
- * @param req 
- * @param res 
+ * Return secrets for workspace with id [workspaceId] and environment
+ * [environment] in plaintext
+ * @param req
+ * @param res
  */
-export const getSecrets = async (req: Request, res: Response) => {
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
+export const getSecretsRaw = async (req: Request, res: Response) => {
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
 
-    const secrets = await SecretService.getSecrets({
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        authData: req.authData
-    });
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData,
+  });
 
-    return res.status(200).send({
-        secrets
-    });
-}
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId),
+  });
+
+  return res.status(200).send({
+    secrets: secrets.map((secret) => {
+      const rep = repackageSecretToRaw({
+        secret,
+        key,
+      });
+
+      return rep;
+    }),
+  });
+};
 
 /**
- * Get secret with name [secretName]
- * @param req 
- * @param res 
+ * Return secret with name [secretName] in plaintext
+ * @param req
+ * @param res
  */
-export const getSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
-    const type = req.query.type as 'shared' | 'personal' | undefined;
+export const getSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
 
-    const secret = await SecretService.getSecret({
-        secretName,
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        type,
-        authData: req.authData
-    });
-    
-    return res.status(200).send({
-        secret
-    });
-}
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData,
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId),
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key,
+    }),
+  });
+};
 
 /**
- * Create secret with name [secretName]
- * @param req 
+ * Create secret with name [secretName] in plaintext
+ * @param req
  * @param res 
  */
-export const createSecret = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const { 
-        workspaceId,
-        environment,
-        type,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag
-    } = req.body;
-    
-    const secret = await SecretService.createSecret({
-        secretName,
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        type,
-        authData: req.authData,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag
-        } : {})
-    });
+export const createSecretRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValue,
+    secretComment,
+    secretPath = "/",
+  } = req.body;
 
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId),
+  });
 
-    const secretWithoutBlindIndex = secret.toObject();
-    delete secretWithoutBlindIndex.secretBlindIndex;
-    
-    return res.status(200).send({
-        secret: secretWithoutBlindIndex
-    });
+  const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretName,
+    key,
+  });
+
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key,
+  });
+
+  const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretComment,
+    key,
+  });
+
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+    secretKeyIV: secretKeyEncrypted.iv,
+    secretKeyTag: secretKeyEncrypted.tag,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath,
+    secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+    secretCommentIV: secretCommentEncrypted.iv,
+    secretCommentTag: secretCommentEncrypted.tag,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret: secretWithoutBlindIndex,
+      key,
+    }),
+  });
 }
 
 /**
  * Update secret with name [secretName]
  * @param req
- * @param res 
+ * @param res
  */
-export const updateSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const {
-        workspaceId,
-        environment,
-        type,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag
-    } = req.body;
+export const updateSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValue,
+    secretPath = "/",
+  } = req.body;
 
-    const secret = await SecretService.updateSecret({
-        secretName,
-        workspaceId,
-        environment,
-        type,
-        authData: req.authData,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag
-    });
-    
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId),
+  });
 
-    return res.status(200).send({
-        secret
-    });
-}
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key,
+  });
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key,
+    }),
+  });
+};
 
 /**
  * Delete secret with name [secretName]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
+ */
+export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretPath = "/",
+  } = req.body;
+
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId),
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key,
+    }),
+  });
+};
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req
+ * @param res
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData,
+  });
+
+  return res.status(200).send({
+    secrets,
+  });
+};
+
+/**
+ * Return secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
+
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData,
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};
+
+/**
+ * Create secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const createSecret = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag,
+    secretPath = "/",
+  } = req.body;
+
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+
+  return res.status(200).send({
+    secret: secretWithoutBlindIndex,
+  });
+};
+
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const updateSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath = "/",
+  } = req.body;
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};
+
+/**
+ * Delete secret with name [secretName]
+ * @param req
+ * @param res
  */
 export const deleteSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const {
-        workspaceId,
-        environment,
-        type
-    } = req.body;
-    
-    const { secret, secrets } = await SecretService.deleteSecret({
-        secretName,
-        workspaceId,
-        environment,
-        type,
-        authData: req.authData
-    });
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretPath = "/",
+  } = req.body;
 
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath,
+  });
 
-    return res.status(200).send({
-        secret
-    });
-}
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};

backend/src/controllers/v3/signupController.ts

@@ -1,17 +1,17 @@
-import jwt from 'jsonwebtoken';
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import jwt from "jsonwebtoken";
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
+import { MembershipOrg, User } from "../../models";
+import { completeAccount } from "../../helpers/user";
 import {
-	initializeDefaultOrg
-} from '../../helpers/signup';
-import { issueAuthTokens, validateProviderAuthToken } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import { standardRequest } from '../../config/request';
-import { getLoopsApiKey, getHttpsEnabled, getJwtSignupSecret } from '../../config';
-import { BadRequestError } from '../../utils/errors';
-import { TelemetryService } from '../../services';
+	initializeDefaultOrg,
+} from "../../helpers/signup";
+import { issueAuthTokens, validateProviderAuthToken } from "../../helpers/auth";
+import { ACCEPTED, INVITED } from "../../variables";
+import { standardRequest } from "../../config/request";
+import { getHttpsEnabled, getJwtSignupSecret, getLoopsApiKey } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import { TelemetryService } from "../../services";
 
 /**
  * Complete setting up user by adding their personal and auth information as part of the
@@ -63,7 +63,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			// case 1: user doesn't exist.
 			// case 2: user has already completed account
 			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
+				error: "Failed to complete account for complete user",
 			});
 		}
 
@@ -74,16 +74,16 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 				user,
 			});
 		} else {
-			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+			const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers["authorization"]?.split(" ", 2) ?? [null, null]
 			if (AUTH_TOKEN_TYPE === null) {
-				throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
+				throw BadRequestError({ message: "Missing Authorization Header in the request header." });
 			}
-			if (AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') {
+			if (AUTH_TOKEN_TYPE.toLowerCase() !== "bearer") {
 				throw BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` })
 			}
 			if (AUTH_TOKEN_VALUE === null) {
 				throw BadRequestError({
-					message: 'Missing Authorization Body in the request header',
+					message: "Missing Authorization Body in the request header",
 				})
 			}
 
@@ -110,16 +110,16 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			encryptedPrivateKeyIV,
 			encryptedPrivateKeyTag,
 			salt,
-			verifier
+			verifier,
 		});
 
 		if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+			throw new Error("Failed to complete account for non-existent user"); // ensure user is non-null
 
 		// initialize default organization and workspace
 		await initializeDefaultOrg({
 			organizationName,
-			user
+			user,
 		});
 
 		// update organization membership statuses that are
@@ -127,17 +127,19 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		await MembershipOrg.updateMany(
 			{
 				inviteEmail: email,
-				status: INVITED
+				status: INVITED,
 			},
 			{
 				user,
-				status: ACCEPTED
+				status: ACCEPTED,
 			}
 		);
 
 		// issue tokens
 		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
+			userId: user._id,
+			ip: req.realIP,
+			userAgent: req.headers["user-agent"] ?? "",
 		});
 
 		token = tokens.token;
@@ -148,45 +150,45 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 				"email": email,
 				"eventName": "Sign Up",
 				"firstName": firstName,
-				"lastName": lastName
+				"lastName": lastName,
 			}, {
 				headers: {
 					"Accept": "application/json",
-					"Authorization": "Bearer " + (await getLoopsApiKey())
+					"Authorization": "Bearer " + (await getLoopsApiKey()),
 				},
 			});
 		}
 
 		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
+		res.cookie("jid", tokens.refreshToken, {
 			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: await getHttpsEnabled()
+			path: "/",
+			sameSite: "strict",
+			secure: await getHttpsEnabled(),
 		});
 
 		const postHogClient = await TelemetryService.getPostHogClient();
 		if (postHogClient) {
 			postHogClient.capture({
-				event: 'User Signed Up',
+				event: "User Signed Up",
 				distinctId: email,
 				properties: {
 					email,
-					attributionSource
-				}
+					attributionSource,
+				},
 			});
 		}
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
-			message: 'Failed to complete account setup'
+			message: "Failed to complete account setup",
 		});
 	}
 
 	return res.status(200).send({
-		message: 'Successfully set up account',
+		message: "Successfully set up account",
 		user,
-		token
+		token,
 	});
 };

backend/src/controllers/v3/workspacesController.ts

@@ -1,7 +1,7 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { Secret } from '../../models';
-import { SecretService } from'../../services';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { Secret } from "../../models";
+import { SecretService } from"../../services";
 
 /**
  * Return whether or not all secrets in workspace with id [workspaceId]
@@ -16,8 +16,8 @@ export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response)
     const secretsWithoutBlindIndex = await Secret.countDocuments({
         workspace: new Types.ObjectId(workspaceId),
         secretBlindIndex: {
-            $exists: false
-        }
+            $exists: false,
+        },
     });
 
     return res.status(200).send(secretsWithoutBlindIndex === 0);
@@ -30,11 +30,11 @@ export const getWorkspaceSecrets = async (req: Request, res: Response) => {
     const { workspaceId } = req.params;
 
     const secrets = await Secret.find({
-        workspace: new Types.ObjectId (workspaceId)
+        workspace: new Types.ObjectId (workspaceId),
     });
     
     return res.status(200).send({
-        secrets
+        secrets,
     });
 }
 
@@ -51,14 +51,14 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
 
     const { workspaceId } = req.params;
     const { 
-        secretsToUpdate 
+        secretsToUpdate, 
     }: {
         secretsToUpdate: SecretToUpdate[];
     } = req.body;
 
     // get secret blind index salt
     const salt = await SecretService.getSecretBlindIndexSalt({
-        workspaceId: new Types.ObjectId(workspaceId)
+        workspaceId: new Types.ObjectId(workspaceId),
     });
 
     // update secret blind indices
@@ -66,18 +66,18 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
         secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
             const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
                 secretName: secretToUpdate.secretName,
-                salt
+                salt,
             });
     
             return ({
                 updateOne: {
                     filter: {
-                        _id: new Types.ObjectId(secretToUpdate._id)
+                        _id: new Types.ObjectId(secretToUpdate._id),
                     },
                     update: {
-                        secretBlindIndex
-                    }
-                }
+                        secretBlindIndex,
+                    },
+                },
             });
         })
     );
@@ -85,6 +85,6 @@ export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
     await Secret.bulkWrite(operations);
 
     return res.status(200).send({
-        message: 'Successfully named workspace secrets'
+        message: "Successfully named workspace secrets",
     });
 }

backend/src/ee/controllers/v1/actionController.ts

@@ -1,7 +1,6 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { Action, SecretVersion } from '../../models';
-import { ActionNotFoundError } from '../../../utils/errors';
+import { Request, Response } from "express";
+import { Action } from "../../models";
+import { ActionNotFoundError } from "../../../utils/errors";
 
 export const getAction = async (req: Request, res: Response) => {
     let action;
@@ -11,21 +10,21 @@ export const getAction = async (req: Request, res: Response) => {
         action = await Action
             .findById(actionId)
             .populate([
-                'payload.secretVersions.oldSecretVersion',
-                'payload.secretVersions.newSecretVersion'
+                "payload.secretVersions.oldSecretVersion",
+                "payload.secretVersions.newSecretVersion",
             ]);
         
         if (!action) throw ActionNotFoundError({
-            message: 'Failed to find action'
+            message: "Failed to find action",
         });
 
     } catch (err) {
         throw ActionNotFoundError({
-            message: 'Failed to find action'
+            message: "Failed to find action",
         });
     }
     
     return res.status(200).send({
-        action
+        action,
     });
-}
+}

backend/src/ee/controllers/v1/cloudProductsController.ts

@@ -1,8 +1,7 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import { EELicenseService } from '../../services';
-import { getLicenseServerUrl } from '../../../config';
-import { licenseServerKeyRequest } from '../../../config/request';
+import { Request, Response } from "express";
+import { EELicenseService } from "../../services";
+import { getLicenseServerUrl } from "../../../config";
+import { licenseServerKeyRequest } from "../../../config/request";
 
 /**
  * Return available cloud product information.
@@ -12,23 +11,18 @@ import { licenseServerKeyRequest } from '../../../config/request';
  * @returns 
  */
 export const getCloudProducts = async (req: Request, res: Response) => {
-    try {
-        const billingCycle = req.query['billing-cycle'] as string;
+    const billingCycle = req.query["billing-cycle"] as string;
 
-        if (EELicenseService.instanceType === 'cloud') {
-            const { data } = await licenseServerKeyRequest.get(
-                `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
-            ); 
+    if (EELicenseService.instanceType === "cloud") {
+        const { data } = await licenseServerKeyRequest.get(
+            `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+        ); 
 
-            return res.status(200).send(data);
-        }
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
+        return res.status(200).send(data);
     }
     
     return res.status(200).send({
         head: [],
-        rows: []
+        rows: [],
     });
-}
+}

backend/src/ee/controllers/v1/index.ts

@@ -1,19 +1,17 @@
-import * as stripeController from './stripeController';
-import * as secretController from './secretController';
-import * as secretSnapshotController from './secretSnapshotController';
-import * as organizationsController from './organizationsController';
-import * as workspaceController from './workspaceController';
-import * as actionController from './actionController';
-import * as membershipController from './membershipController';
-import * as cloudProductsController from './cloudProductsController';
+import * as secretController from "./secretController";
+import * as secretSnapshotController from "./secretSnapshotController";
+import * as organizationsController from "./organizationsController";
+import * as workspaceController from "./workspaceController";
+import * as actionController from "./actionController";
+import * as membershipController from "./membershipController";
+import * as cloudProductsController from "./cloudProductsController";
 
 export {
-    stripeController,
     secretController,
     secretSnapshotController,
     organizationsController,
     workspaceController,
     actionController,
     membershipController,
-    cloudProductsController
+    cloudProductsController,
 }

backend/src/ee/controllers/v1/membershipController.ts

@@ -3,8 +3,7 @@ import { Membership, Workspace } from "../../../models";
 import { IMembershipPermission } from "../../../models/membership";
 import { BadRequestError, UnauthorizedRequestError } from "../../../utils/errors";
 import { ADMIN, MEMBER } from "../../../variables/organization";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../../variables';
-import { Builder } from "builder-pattern"
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../../variables";
 import _ from "lodash";
 
 export const denyMembershipPermissions = async (req: Request, res: Response) => {
@@ -15,10 +14,10 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
       throw BadRequestError({ message: "One or more required fields are missing from the request or have incorrect type" })
     }
 
-    return Builder<IMembershipPermission>()
-      .environmentSlug(permission.environmentSlug)
-      .ability(permission.ability)
-      .build();
+    return {
+      environmentSlug: permission.environmentSlug,
+      ability: permission.ability
+    }
   })
 
   const sanitizedMembershipPermissionsUnique = _.uniqWith(sanitizedMembershipPermissions, _.isEqual)
@@ -39,7 +38,7 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
     throw BadRequestError({ message: "Something went wrong when locating the related workspace" })
   }
 
-  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, 'slug')));
+  const uniqueEnvironmentSlugs = new Set(_.uniq(_.map(relatedWorkspace.environments, "slug")));
 
   sanitizedMembershipPermissionsUnique.forEach(permission => {
     if (!uniqueEnvironmentSlugs.has(permission.environmentSlug)) {
@@ -59,6 +58,6 @@ export const denyMembershipPermissions = async (req: Request, res: Response) =>
   }
 
   res.send({
-    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions
+    permissionsDenied: updatedMembershipWithPermissions.deniedPermissions,
   })
 }

backend/src/ee/controllers/v1/organizationsController.ts

@@ -1,15 +1,26 @@
-import { Request, Response } from 'express';
-import { getLicenseServerUrl } from '../../../config';
-import { licenseServerKeyRequest } from '../../../config/request';
-import { EELicenseService } from '../../services';
+import { Request, Response } from "express";
+import { getLicenseServerUrl } from "../../../config";
+import { licenseServerKeyRequest } from "../../../config/request";
+import { EELicenseService } from "../../services";
+
+export const getOrganizationPlansTable = async (req: Request, res: Response) => {
+    const billingCycle = req.query.billingCycle as string;
+    
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+    ); 
+
+    return res.status(200).send(data); 
+}
 
 /**
- * Return the organization's current plan and allowed feature set
+ * Return the organization current plan's feature set
  */
 export const getOrganizationPlan = async (req: Request, res: Response) => {
     const { organizationId } = req.params;
+    const workspaceId = req.query.workspaceId as string;
 
-    const plan = await EELicenseService.getOrganizationPlan(organizationId);
+    const plan = await EELicenseService.getPlan(organizationId, workspaceId);
 
     return res.status(200).send({
         plan,
@@ -17,26 +28,82 @@ export const getOrganizationPlan = async (req: Request, res: Response) => {
 }
 
 /**
- * Update the organization plan to product with id [productId]
+ * Return checkout url for pro trial
  * @param req 
  * @param res 
  * @returns 
  */
-export const updateOrganizationPlan = async (req: Request, res: Response) => {
-    const {
-        productId
-    } = req.body;
+export const startOrganizationTrial = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+    const { success_url } = req.body;
 
-    const { data  } = await licenseServerKeyRequest.patch(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan`,
+    const { data: { url } } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/session/trial`,
         {
-            productId
+            success_url
         }
     ); 
     
+    EELicenseService.delPlan(organizationId);
+    
+    return res.status(200).send({
+        url
+    });
+}
+
+/**
+ * Return the organization's current plan's billing info
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationPlanBillingInfo = async (req: Request, res: Response) => {
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan/billing`
+    ); 
+    
     return res.status(200).send(data);
 }
 
+/**
+ * Return the organization's current plan's feature table
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getOrganizationPlanTable = async (req: Request, res: Response) => {
+    const { data } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan/table`
+    ); 
+
+    return res.status(200).send(data);
+}
+
+export const getOrganizationBillingDetails = async (req: Request, res: Response) => {
+    const { data  } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details`
+    ); 
+
+    return res.status(200).send(data);
+}
+
+export const updateOrganizationBillingDetails = async (req: Request, res: Response) => {
+    const {
+        name,
+        email
+    } = req.body;
+
+    const { data } = await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details`,
+        {
+            ...(name ? { name } : {}),
+            ...(email ? { email } : {})
+        }
+    ); 
+
+    return res.status(200).send(data); 
+}
+
 /**
  * Return the organization's payment methods on file
  */
@@ -45,30 +112,28 @@ export const getOrganizationPmtMethods = async (req: Request, res: Response) =>
         `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`
     );
 
-    return res.status(200).send({
-        pmtMethods
-    }); 
+    return res.status(200).send(pmtMethods); 
 }
 
 /**
- * Return a Stripe session URL to add payment method for organization
+ * Return URL to add payment method for organization
  */
 export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
     const {
         success_url,
-        cancel_url
+        cancel_url,
     } = req.body;
     
     const { data: { url } } = await licenseServerKeyRequest.post(
         `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
         {
             success_url,
-            cancel_url
+            cancel_url,
         }
     );
     
     return res.status(200).send({
-        url
+        url,
     }); 
 }
 
@@ -80,4 +145,53 @@ export const deleteOrganizationPmtMethod = async (req: Request, res: Response) =
     );
         
     return res.status(200).send(data);
+}
+
+/**
+ * Return the organization's tax ids on file
+ */
+export const getOrganizationTaxIds = async (req: Request, res: Response) => {
+    const { data: { tax_ids } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids`
+    );
+
+    return res.status(200).send(tax_ids); 
+}
+
+/**
+ * Add tax id to organization
+ */
+export const addOrganizationTaxId = async (req: Request, res: Response) => {
+    const {
+        type,
+        value
+    } = req.body;
+
+    const { data } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids`,
+        {
+            type,
+            value
+        }
+    );
+
+    return res.status(200).send(data); 
+}
+
+export const deleteOrganizationTaxId = async (req: Request, res: Response) => {
+    const { taxId } = req.params;
+
+    const { data } = await licenseServerKeyRequest.delete(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/tax-ids/${taxId}`,
+    );
+        
+    return res.status(200).send(data); 
+}
+
+export const getOrganizationInvoices = async (req: Request, res: Response) => {
+    const { data: { invoices } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/invoices`
+    );
+
+    return res.status(200).send(invoices); 
 }

backend/src/ee/controllers/v1/secretController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import { Secret } from "../../../models";
 import { SecretVersion } from "../../models";
 import { EESecretService } from "../../services";
@@ -55,32 +54,20 @@ export const getSecretVersions = async (req: Request, res: Response) => {
         }
     }   
     */
-  let secretVersions;
-  try {
-    const { secretId, workspaceId, environment, folderId } = req.params;
+  const { secretId } = req.params;
 
-    const offset: number = parseInt(req.query.offset as string);
-    const limit: number = parseInt(req.query.limit as string);
+  const offset: number = parseInt(req.query.offset as string);
+  const limit: number = parseInt(req.query.limit as string);
 
-    secretVersions = await SecretVersion.find({
-      secret: secretId,
-      workspace: workspaceId,
-      environment,
-      folder: folderId,
-    })
-      .sort({ createdAt: -1 })
-      .skip(offset)
-      .limit(limit);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get secret versions",
-    });
-  }
+  const secretVersions = await SecretVersion.find({
+    secret: secretId
+  })
+    .sort({ createdAt: -1 })
+    .skip(offset)
+    .limit(limit);
 
   return res.status(200).send({
-    secretVersions,
+    secretVersions
   });
 };
 
@@ -139,74 +126,45 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
         }
     }   
     */
-  let secret;
-  try {
-    const { secretId } = req.params;
-    const { version } = req.body;
+  const { secretId } = req.params;
+  const { version } = req.body;
 
-    // validate secret version
-    const oldSecretVersion = await SecretVersion.findOne({
-      secret: secretId,
-      version,
-    }).select("+secretBlindIndex");
+  // validate secret version
+  const oldSecretVersion = await SecretVersion.findOne({
+    secret: secretId,
+    version
+  }).select("+secretBlindIndex");
 
-    if (!oldSecretVersion) throw new Error("Failed to find secret version");
+  if (!oldSecretVersion) throw new Error("Failed to find secret version");
 
-    const {
-      workspace,
-      type,
-      user,
-      environment,
-      secretBlindIndex,
-      secretKeyCiphertext,
-      secretKeyIV,
-      secretKeyTag,
-      secretValueCiphertext,
-      secretValueIV,
-      secretValueTag,
-      folder,
-      algorithm,
-      keyEncoding,
-    } = oldSecretVersion;
+  const {
+    workspace,
+    type,
+    user,
+    environment,
+    secretBlindIndex,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    algorithm,
+    folder,
+    keyEncoding
+  } = oldSecretVersion;
 
-    // update secret
-    secret = await Secret.findByIdAndUpdate(
-      secretId,
-      {
-        $inc: {
-          version: 1,
-        },
-        workspace,
-        type,
-        user,
-        environment,
-        ...(secretBlindIndex ? { secretBlindIndex } : {}),
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        folderId: folder,
-        algorithm,
-        keyEncoding,
+  // update secret
+  const secret = await Secret.findByIdAndUpdate(
+    secretId,
+    {
+      $inc: {
+        version: 1
       },
-      {
-        new: true,
-      }
-    );
-
-    if (!secret) throw new Error("Failed to find and update secret");
-
-    // add new secret version
-    await new SecretVersion({
-      secret: secretId,
-      version: secret.version,
       workspace,
       type,
       user,
       environment,
-      isDeleted: false,
       ...(secretBlindIndex ? { secretBlindIndex } : {}),
       secretKeyCiphertext,
       secretKeyIV,
@@ -214,26 +172,46 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
       secretValueCiphertext,
       secretValueIV,
       secretValueTag,
-      folder,
-      algorithm,
-      keyEncoding,
-    }).save();
-
-    // take secret snapshot
-    await EESecretService.takeSecretSnapshot({
-      workspaceId: secret.workspace,
-      environment,
       folderId: folder,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to roll back secret version",
-    });
-  }
+      algorithm,
+      keyEncoding
+    },
+    {
+      new: true
+    }
+  );
+
+  if (!secret) throw new Error("Failed to find and update secret");
+
+  // add new secret version
+  await new SecretVersion({
+    secret: secretId,
+    version: secret.version,
+    workspace,
+    type,
+    user,
+    environment,
+    isDeleted: false,
+    ...(secretBlindIndex ? { secretBlindIndex } : {}),
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    folder,
+    algorithm,
+    keyEncoding
+  }).save();
+
+  // take secret snapshot
+  await EESecretService.takeSecretSnapshot({
+    workspaceId: secret.workspace,
+    environment,
+    folderId: folder
+  });
 
   return res.status(200).send({
-    secret,
+    secret
   });
 };

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import {
   ISecretVersion,
   SecretSnapshot,
@@ -13,29 +12,21 @@ import {
  * @returns
  */
 export const getSecretSnapshot = async (req: Request, res: Response) => {
-  let secretSnapshot;
-  try {
-    const { secretSnapshotId } = req.params;
+  const { secretSnapshotId } = req.params;
 
-    secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
-      .lean()
-      .populate<{ secretVersions: ISecretVersion[] }>({
-        path: 'secretVersions',
-        populate: {
-          path: 'tags',
-          model: 'Tag'
-        }
-      })
-      .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
-
-    if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get secret snapshot",
-    });
-  }
+  const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
+    .lean()
+    .populate<{ secretVersions: ISecretVersion[] }>({
+      path: "secretVersions",
+      populate: {
+        path: "tags",
+        model: "Tag",
+      },
+    })
+    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
+  
+  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+  
   const folderId = secretSnapshot.folderId;
   // to show only the folder required secrets
   secretSnapshot.secretVersions = secretSnapshot.secretVersions.filter(

backend/src/ee/controllers/v1/stripeController.ts

@@ -1,41 +0,0 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import Stripe from 'stripe';
-import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
-
-/**
- * Handle service provisioning/un-provisioning via Stripe
- * @param req
- * @param res
- * @returns
- */
-export const handleWebhook = async (req: Request, res: Response) => {
-	let event;
-	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-
-		// check request for valid stripe signature
-		const sig = req.headers['stripe-signature'] as string;
-		event = stripe.webhooks.constructEvent(
-			req.body,
-			sig,
-			await getStripeWebhookSecret()
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to process webhook'
-		});
-	}
-
-	switch (event.type) {
-		case '':
-			break;
-		default:
-	}
-
-	return res.json({ received: true });
-};

backend/src/ee/controllers/v1/workspaceController.ts

@@ -1,13 +1,12 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import { PipelineStage, Types } from "mongoose";
 import { Secret } from "../../../models";
 import {
-  SecretSnapshot,
-  Log,
-  SecretVersion,
-  ISecretVersion,
   FolderVersion,
+  ISecretVersion,
+  Log,
+  SecretSnapshot,
+  SecretVersion,
   TFolderRootVersionSchema,
 } from "../../models";
 import { EESecretService } from "../../services";
@@ -69,29 +68,20 @@ export const getWorkspaceSecretSnapshots = async (
         }
     }
     */
-  let secretSnapshots;
-  try {
-    const { workspaceId } = req.params;
-    const { environment, folderId } = req.query;
+  const { workspaceId } = req.params;
+  const { environment, folderId } = req.query;
 
-    const offset: number = parseInt(req.query.offset as string);
-    const limit: number = parseInt(req.query.limit as string);
+  const offset: number = parseInt(req.query.offset as string);
+  const limit: number = parseInt(req.query.limit as string);
 
-    secretSnapshots = await SecretSnapshot.find({
-      workspace: workspaceId,
-      environment,
-      folderId: folderId || "root",
-    })
-      .sort({ createdAt: -1 })
-      .skip(offset)
-      .limit(limit);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get secret snapshots",
-    });
-  }
+  const secretSnapshots = await SecretSnapshot.find({
+    workspace: workspaceId,
+    environment,
+    folderId: folderId || "root",
+  })
+    .sort({ createdAt: -1 })
+    .skip(offset)
+    .limit(limit);
 
   return res.status(200).send({
     secretSnapshots,
@@ -107,23 +97,14 @@ export const getWorkspaceSecretSnapshotsCount = async (
   req: Request,
   res: Response
 ) => {
-  let count;
-  try {
-    const { workspaceId } = req.params;
-    const { environment, folderId } = req.query;
+  const { workspaceId } = req.params;
+  const { environment, folderId } = req.query;
 
-    count = await SecretSnapshot.countDocuments({
-      workspace: workspaceId,
-      environment,
-      folderId: folderId || "root",
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to count number of secret snapshots",
-    });
-  }
+  const count = await SecretSnapshot.countDocuments({
+    workspace: workspaceId,
+    environment,
+    folderId: folderId || "root",
+  });
 
   return res.status(200).send({
     count,
@@ -191,324 +172,315 @@ export const rollbackWorkspaceSecretSnapshot = async (
     }   
     */
 
-  let secrets;
-  try {
-    const { workspaceId } = req.params;
-    const { version, environment, folderId = "root" } = req.body;
+  const { workspaceId } = req.params;
+  const { version, environment, folderId = "root" } = req.body;
 
-    // validate secret snapshot
-    const secretSnapshot = await SecretSnapshot.findOne({
-      workspace: workspaceId,
-      version,
-      environment,
-      folderId: folderId,
+  // validate secret snapshot
+  const secretSnapshot = await SecretSnapshot.findOne({
+    workspace: workspaceId,
+    version,
+    environment,
+    folderId: folderId,
+  })
+    .populate<{ secretVersions: ISecretVersion[] }>({
+      path: "secretVersions",
+      select: "+secretBlindIndex",
     })
-      .populate<{ secretVersions: ISecretVersion[] }>({
-        path: "secretVersions",
-        select: "+secretBlindIndex",
-      })
-      .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
+    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
 
-    if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
 
-    const snapshotFolderTree = secretSnapshot.folderVersion;
-    const latestFolderTree = await Folder.findOne({
-      workspace: workspaceId,
-      environment,
-    });
+  const snapshotFolderTree = secretSnapshot.folderVersion;
+  const latestFolderTree = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  });
 
-    const latestFolderVersion = await FolderVersion.findOne({
-      environment,
-      workspace: workspaceId,
-      "nodes.id": folderId,
-    }).sort({ "nodes.version": -1 });
+  const latestFolderVersion = await FolderVersion.findOne({
+    environment,
+    workspace: workspaceId,
+    "nodes.id": folderId,
+  }).sort({ "nodes.version": -1 });
 
-    const oldSecretVersionsObj: Record<string, ISecretVersion> = {};
-    const secretIds: Types.ObjectId[] = [];
-    const folderIds: string[] = [folderId];
+  const oldSecretVersionsObj: Record<string, ISecretVersion> = {};
+  const secretIds: Types.ObjectId[] = [];
+  const folderIds: string[] = [folderId];
 
-    secretSnapshot.secretVersions.forEach((snapSecVer) => {
-      oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
-      secretIds.push(snapSecVer.secret);
-    });
+  secretSnapshot.secretVersions.forEach((snapSecVer) => {
+    oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+    secretIds.push(snapSecVer.secret);
+  });
 
-    // the parent node from current latest one
-    // this will be modified according to the snapshot and latest snapshots
-    const newFolderTree =
-      latestFolderTree && searchByFolderId(latestFolderTree.nodes, folderId);
+  // the parent node from current latest one
+  // this will be modified according to the snapshot and latest snapshots
+  const newFolderTree =
+    latestFolderTree && searchByFolderId(latestFolderTree.nodes, folderId);
 
-    if (newFolderTree) {
-      newFolderTree.children = snapshotFolderTree?.nodes?.children || [];
-      const queue = [newFolderTree];
-      // a bfs algorithm in which we take the latest snapshots of all the folders in a level
+  if (newFolderTree) {
+    newFolderTree.children = snapshotFolderTree?.nodes?.children || [];
+    const queue = [newFolderTree];
+    // a bfs algorithm in which we take the latest snapshots of all the folders in a level
+    while (queue.length) {
+      const groupByFolderId: Record<string, TFolderSchema> = {};
+      // the original queue is popped out completely to get what ever in a level
+      // subqueue is filled with all the children thus next level folders
+      // subQueue will then be transfered to the oriinal queue
+      const subQueue: TFolderSchema[] = [];
+      // get everything inside a level
       while (queue.length) {
-        const groupByFolderId: Record<string, TFolderSchema> = {};
-        // the original queue is popped out completely to get what ever in a level
-        // subqueue is filled with all the children thus next level folders
-        // subQueue will then be transfered to the oriinal queue
-        const subQueue: TFolderSchema[] = [];
-        // get everything inside a level
-        while (queue.length) {
-          const folder = queue.pop() as TFolderSchema;
-          folder.children.forEach((el) => {
-            folderIds.push(el.id); // push ids and data into queu
-            subQueue.push(el);
-            // to modify the original tree very fast we keep a reference object
-            // key with folder id and pointing to the various nodes
-            groupByFolderId[el.id] = el;
-          });
-        }
-        // get latest snapshots of all the folder
-        const matchWsFoldersPipeline = {
-          $match: {
-            workspace: new Types.ObjectId(workspaceId),
-            environment,
-            folderId: {
-              $in: Object.keys(groupByFolderId),
-            },
-          },
-        };
-        const sortByFolderIdAndVersion: PipelineStage = {
-          $sort: { folderId: 1, version: -1 },
-        };
-        const pickLatestVersionOfEachFolder = {
-          $group: {
-            _id: "$folderId",
-            latestVersion: { $first: "$version" },
-            doc: {
-              $first: "$$ROOT",
-            },
-          },
-        };
-        const populateSecVersion = {
-          $lookup: {
-            from: SecretVersion.collection.name,
-            localField: "doc.secretVersions",
-            foreignField: "_id",
-            as: "doc.secretVersions",
-          },
-        };
-        const populateFolderVersion = {
-          $lookup: {
-            from: FolderVersion.collection.name,
-            localField: "doc.folderVersion",
-            foreignField: "_id",
-            as: "doc.folderVersion",
-          },
-        };
-        const unwindFolderVerField = {
-          $unwind: {
-            path: "$doc.folderVersion",
-            preserveNullAndEmptyArrays: true,
-          },
-        };
-        const latestSnapshotsByFolders: Array<{ doc: typeof secretSnapshot }> =
-          await SecretSnapshot.aggregate([
-            matchWsFoldersPipeline,
-            sortByFolderIdAndVersion,
-            pickLatestVersionOfEachFolder,
-            populateSecVersion,
-            populateFolderVersion,
-            unwindFolderVerField,
-          ]);
-
-        // recursive snapshotting each level
-        latestSnapshotsByFolders.forEach((snap) => {
-          // mutate the folder tree to update the nodes to the latest version tree
-          // we are reconstructing the folder tree by latest snapshots here
-          if (groupByFolderId[snap.doc.folderId]) {
-            groupByFolderId[snap.doc.folderId].children =
-              snap.doc?.folderVersion?.nodes?.children || [];
-          }
-
-          // push all children of next level snapshots
-          if (snap.doc.folderVersion?.nodes?.children) {
-            queue.push(...snap.doc.folderVersion.nodes.children);
-          }
-
-          snap.doc.secretVersions.forEach((snapSecVer) => {
-            // record all the secrets
-            oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
-            secretIds.push(snapSecVer.secret);
-          });
+        const folder = queue.pop() as TFolderSchema;
+        folder.children.forEach((el) => {
+          folderIds.push(el.id); // push ids and data into queu
+          subQueue.push(el);
+          // to modify the original tree very fast we keep a reference object
+          // key with folder id and pointing to the various nodes
+          groupByFolderId[el.id] = el;
         });
-
-        queue.push(...subQueue);
       }
-    }
-
-    // TODO: fix any
-    const latestSecretVersionIds = await getLatestSecretVersionIds({
-      secretIds,
-    });
-
-    // TODO: fix any
-    const latestSecretVersions: any = (
-      await SecretVersion.find(
-        {
-          _id: {
-            $in: latestSecretVersionIds.map((s) => s.versionId),
+      // get latest snapshots of all the folder
+      const matchWsFoldersPipeline = {
+        $match: {
+          workspace: new Types.ObjectId(workspaceId),
+          environment,
+          folderId: {
+            $in: Object.keys(groupByFolderId),
           },
         },
-        "secret version"
-      )
-    ).reduce(
-      (accumulator, s) => ({
-        ...accumulator,
-        [`${s.secret.toString()}`]: s,
-      }),
-      {}
-    );
+      };
+      const sortByFolderIdAndVersion: PipelineStage = {
+        $sort: { folderId: 1, version: -1 },
+      };
+      const pickLatestVersionOfEachFolder = {
+        $group: {
+          _id: "$folderId",
+          latestVersion: { $first: "$version" },
+          doc: {
+            $first: "$$ROOT",
+          },
+        },
+      };
+      const populateSecVersion = {
+        $lookup: {
+          from: SecretVersion.collection.name,
+          localField: "doc.secretVersions",
+          foreignField: "_id",
+          as: "doc.secretVersions",
+        },
+      };
+      const populateFolderVersion = {
+        $lookup: {
+          from: FolderVersion.collection.name,
+          localField: "doc.folderVersion",
+          foreignField: "_id",
+          as: "doc.folderVersion",
+        },
+      };
+      const unwindFolderVerField = {
+        $unwind: {
+          path: "$doc.folderVersion",
+          preserveNullAndEmptyArrays: true,
+        },
+      };
+      const latestSnapshotsByFolders: Array<{ doc: typeof secretSnapshot }> =
+        await SecretSnapshot.aggregate([
+          matchWsFoldersPipeline,
+          sortByFolderIdAndVersion,
+          pickLatestVersionOfEachFolder,
+          populateSecVersion,
+          populateFolderVersion,
+          unwindFolderVerField,
+        ]);
 
-    const secDelQuery: Record<string, unknown> = {
-      workspace: workspaceId,
-      environment,
-      // undefined means root thus collect all secrets
-    };
-    if (folderId !== "root" && folderIds.length)
-      secDelQuery.folder = { $in: folderIds };
+      // recursive snapshotting each level
+      latestSnapshotsByFolders.forEach((snap) => {
+        // mutate the folder tree to update the nodes to the latest version tree
+        // we are reconstructing the folder tree by latest snapshots here
+        if (groupByFolderId[snap.doc.folderId]) {
+          groupByFolderId[snap.doc.folderId].children =
+            snap.doc?.folderVersion?.nodes?.children || [];
+        }
 
-    // delete existing secrets
-    await Secret.deleteMany(secDelQuery);
-    await Folder.deleteOne({
-      workspace: workspaceId,
-      environment,
-    });
+        // push all children of next level snapshots
+        if (snap.doc.folderVersion?.nodes?.children) {
+          queue.push(...snap.doc.folderVersion.nodes.children);
+        }
 
-    // add secrets
-    secrets = await Secret.insertMany(
-      Object.keys(oldSecretVersionsObj).map((sv) => {
-        const {
-          secret: secretId,
-          workspace,
-          type,
-          user,
-          environment,
-          secretBlindIndex,
-          secretKeyCiphertext,
-          secretKeyIV,
-          secretKeyTag,
-          secretValueCiphertext,
-          secretValueIV,
-          secretValueTag,
-          createdAt,
-          algorithm,
-          keyEncoding,
-          folder: secFolderId,
-        } = oldSecretVersionsObj[sv];
-
-        return {
-          _id: secretId,
-          version: latestSecretVersions[secretId.toString()].version + 1,
-          workspace,
-          type,
-          user,
-          environment,
-          secretBlindIndex: secretBlindIndex ?? undefined,
-          secretKeyCiphertext,
-          secretKeyIV,
-          secretKeyTag,
-          secretValueCiphertext,
-          secretValueIV,
-          secretValueTag,
-          secretCommentCiphertext: "",
-          secretCommentIV: "",
-          secretCommentTag: "",
-          createdAt,
-          algorithm,
-          keyEncoding,
-          folder: secFolderId,
-        };
-      })
-    );
-
-    // add secret versions
-    const secretV = await SecretVersion.insertMany(
-      secrets.map(
-        ({
-          _id,
-          version,
-          workspace,
-          type,
-          user,
-          environment,
-          secretBlindIndex,
-          secretKeyCiphertext,
-          secretKeyIV,
-          secretKeyTag,
-          secretValueCiphertext,
-          secretValueIV,
-          secretValueTag,
-          algorithm,
-          keyEncoding,
-          folder: secFolderId,
-        }) => ({
-          _id: new Types.ObjectId(),
-          secret: _id,
-          version,
-          workspace,
-          type,
-          user,
-          environment,
-          isDeleted: false,
-          secretBlindIndex: secretBlindIndex ?? undefined,
-          secretKeyCiphertext,
-          secretKeyIV,
-          secretKeyTag,
-          secretValueCiphertext,
-          secretValueIV,
-          secretValueTag,
-          algorithm,
-          keyEncoding,
-          folder: secFolderId,
-        })
-      )
-    );
-
-    if (newFolderTree && latestFolderTree) {
-      // save the updated folder tree to the present one
-      newFolderTree.version = (latestFolderVersion?.nodes?.version || 0) + 1;
-      latestFolderTree._id = new Types.ObjectId();
-      latestFolderTree.isNew = true;
-      await latestFolderTree.save();
-
-      // create new folder version
-      const newFolderVersion = new FolderVersion({
-        workspace: workspaceId,
-        environment,
-        nodes: newFolderTree,
+        snap.doc.secretVersions.forEach((snapSecVer) => {
+          // record all the secrets
+          oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+          secretIds.push(snapSecVer.secret);
+        });
       });
-      await newFolderVersion.save();
-    }
 
-    // update secret versions of restored secrets as not deleted
-    await SecretVersion.updateMany(
+      queue.push(...subQueue);
+    }
+  }
+
+  // TODO: fix any
+  const latestSecretVersionIds = await getLatestSecretVersionIds({
+    secretIds,
+  });
+
+  // TODO: fix any
+  const latestSecretVersions: any = (
+    await SecretVersion.find(
       {
-        secret: {
-          $in: Object.keys(oldSecretVersionsObj).map(
-            (sv) => oldSecretVersionsObj[sv].secret
-          ),
+        _id: {
+          $in: latestSecretVersionIds.map((s) => s.versionId),
         },
       },
-      {
-        isDeleted: false,
-      }
-    );
+      "secret version"
+    )
+  ).reduce(
+    (accumulator, s) => ({
+      ...accumulator,
+      [`${s.secret.toString()}`]: s,
+    }),
+    {}
+  );
 
-    // take secret snapshot
-    await EESecretService.takeSecretSnapshot({
-      workspaceId: new Types.ObjectId(workspaceId),
+  const secDelQuery: Record<string, unknown> = {
+    workspace: workspaceId,
+    environment,
+    // undefined means root thus collect all secrets
+  };
+  if (folderId !== "root" && folderIds.length)
+    secDelQuery.folder = { $in: folderIds };
+
+  // delete existing secrets
+  await Secret.deleteMany(secDelQuery);
+  await Folder.deleteOne({
+    workspace: workspaceId,
+    environment,
+  });
+
+  // add secrets
+  const secrets = await Secret.insertMany(
+    Object.keys(oldSecretVersionsObj).map((sv) => {
+      const {
+        secret: secretId,
+        workspace,
+        type,
+        user,
+        environment,
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        createdAt,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      } = oldSecretVersionsObj[sv];
+
+      return {
+        _id: secretId,
+        version: latestSecretVersions[secretId.toString()].version + 1,
+        workspace,
+        type,
+        user,
+        environment,
+        secretBlindIndex: secretBlindIndex ?? undefined,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext: "",
+        secretCommentIV: "",
+        secretCommentTag: "",
+        createdAt,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      };
+    })
+  );
+
+  // add secret versions
+  const secretV = await SecretVersion.insertMany(
+    secrets.map(
+      ({
+        _id,
+        version,
+        workspace,
+        type,
+        user,
+        environment,
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      }) => ({
+        _id: new Types.ObjectId(),
+        secret: _id,
+        version,
+        workspace,
+        type,
+        user,
+        environment,
+        isDeleted: false,
+        secretBlindIndex: secretBlindIndex ?? undefined,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      })
+    )
+  );
+
+  if (newFolderTree && latestFolderTree) {
+    // save the updated folder tree to the present one
+    newFolderTree.version = (latestFolderVersion?.nodes?.version || 0) + 1;
+    latestFolderTree._id = new Types.ObjectId();
+    latestFolderTree.isNew = true;
+    await latestFolderTree.save();
+
+    // create new folder version
+    const newFolderVersion = new FolderVersion({
+      workspace: workspaceId,
       environment,
-      folderId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to roll back secret snapshot",
+      nodes: newFolderTree,
     });
+    await newFolderVersion.save();
   }
 
+  // update secret versions of restored secrets as not deleted
+  await SecretVersion.updateMany(
+    {
+      secret: {
+        $in: Object.keys(oldSecretVersionsObj).map(
+          (sv) => oldSecretVersionsObj[sv].secret
+        ),
+      },
+    },
+    {
+      isDeleted: false,
+    }
+  );
+
+  // take secret snapshot
+  await EESecretService.takeSecretSnapshot({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    folderId,
+  });
+
   return res.status(200).send({
     secrets,
   });
@@ -587,39 +559,30 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
         }
     }   
     */
-  let logs;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    const offset: number = parseInt(req.query.offset as string);
-    const limit: number = parseInt(req.query.limit as string);
-    const sortBy: string = req.query.sortBy as string;
-    const userId: string = req.query.userId as string;
-    const actionNames: string = req.query.actionNames as string;
+  const offset: number = parseInt(req.query.offset as string);
+  const limit: number = parseInt(req.query.limit as string);
+  const sortBy: string = req.query.sortBy as string;
+  const userId: string = req.query.userId as string;
+  const actionNames: string = req.query.actionNames as string;
 
-    logs = await Log.find({
-      workspace: workspaceId,
-      ...(userId ? { user: userId } : {}),
-      ...(actionNames
-        ? {
-            actionNames: {
-              $in: actionNames.split(","),
-            },
-          }
-        : {}),
-    })
-      .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
-      .skip(offset)
-      .limit(limit)
-      .populate("actions")
-      .populate("user serviceAccount serviceTokenData");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace logs",
-    });
-  }
+  const logs = await Log.find({
+    workspace: workspaceId,
+    ...(userId ? { user: userId } : {}),
+    ...(actionNames
+      ? {
+          actionNames: {
+            $in: actionNames.split(","),
+          },
+        }
+      : {}),
+  })
+    .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
+    .skip(offset)
+    .limit(limit)
+    .populate("actions")
+    .populate("user serviceAccount serviceTokenData");
 
   return res.status(200).send({
     logs,

backend/src/ee/helpers/action.ts

@@ -1,17 +1,17 @@
-import { Types } from 'mongoose';
-import { Action } from '../models';
+import { Types } from "mongoose";
+import { Action } from "../models";
 import { 
+    getLatestNSecretSecretVersionIds,
     getLatestSecretVersionIds,
-    getLatestNSecretSecretVersionIds
-} from '../helpers/secretVersion';
+} from "../helpers/secretVersion";
 import { 
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
     ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS,
     ACTION_UPDATE_SECRETS,
-} from '../../variables';
+} from "../../variables";
 
 /**
  * Create an (audit) action for updating secrets
@@ -26,7 +26,7 @@ const createActionUpdateSecret = async ({
     serviceAccountId,
     serviceTokenDataId,
     workspaceId,
-    secretIds
+    secretIds,
 }: {
     name: string;
     userId?: Types.ObjectId;
@@ -37,11 +37,11 @@ const createActionUpdateSecret = async ({
 }) => {
     const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
             secretIds,
-            n: 2
+            n: 2,
         }))
         .map((s) => ({
             oldSecretVersion: s.versions[0]._id,
-            newSecretVersion: s.versions[1]._id
+            newSecretVersion: s.versions[1]._id,
         }));
     
     const action = await new Action({
@@ -51,8 +51,8 @@ const createActionUpdateSecret = async ({
         serviceTokenData: serviceTokenDataId,
         workspace: workspaceId,
         payload: {
-            secretVersions: latestSecretVersions
-        }
+            secretVersions: latestSecretVersions,
+        },
     }).save();
     
     return action;
@@ -72,7 +72,7 @@ const createActionSecret = async ({
     serviceAccountId,
     serviceTokenDataId,
     workspaceId,
-    secretIds
+    secretIds,
 }: {
     name: string;
     userId?: Types.ObjectId;
@@ -84,10 +84,10 @@ const createActionSecret = async ({
     // case: action is adding, deleting, or reading secrets
     // -> add new secret versions
     const latestSecretVersions = (await getLatestSecretVersionIds({
-        secretIds
+        secretIds,
     }))
     .map((s) => ({
-        newSecretVersion: s.versionId
+        newSecretVersion: s.versionId,
     }));
     
    const action = await new Action({
@@ -97,8 +97,8 @@ const createActionSecret = async ({
         serviceTokenData: serviceTokenDataId,
         workspace: workspaceId,
         payload: {
-            secretVersions: latestSecretVersions
-        }
+            secretVersions: latestSecretVersions,
+        },
     }).save(); 
     
     return action;
@@ -116,7 +116,7 @@ const createActionClient = ({
     name,
     userId,
     serviceAccountId,
-    serviceTokenDataId
+    serviceTokenDataId,
 }: {
     name: string;
     userId?: Types.ObjectId;
@@ -127,7 +127,7 @@ const createActionClient = ({
         name,
         user: userId,
         serviceAccount: serviceAccountId,
-        serviceTokenData: serviceTokenDataId
+        serviceTokenData: serviceTokenDataId,
     }).save();
 
     return action; 
@@ -162,27 +162,27 @@ const createActionHelper = async ({
         case ACTION_LOGOUT:
             action = await createActionClient({
                 name,
-                userId
+                userId,
             });
             break;
         case ACTION_ADD_SECRETS:
         case ACTION_READ_SECRETS:
         case ACTION_DELETE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
             action = await createActionSecret({
                 name,
                 userId,
                 workspaceId,
-                secretIds
+                secretIds,
             });
             break;
         case ACTION_UPDATE_SECRETS:
-            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            if (!workspaceId || !secretIds) throw new Error("Missing required params workspace id or secret ids to create action secret");
             action = await createActionUpdateSecret({
                 name,
                 userId,
                 workspaceId,
-                secretIds
+                secretIds,
             });
             break;
     }
@@ -191,5 +191,5 @@ const createActionHelper = async ({
 }
 
 export { 
-    createActionHelper
+    createActionHelper,
 };

backend/src/ee/helpers/checkMembershipPermissions.ts

@@ -1,7 +1,7 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import _ from "lodash";
 import { Membership } from "../../models";
-import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
+import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from "../../variables";
 
 export const userHasWorkspaceAccess = async (userId: Types.ObjectId, workspaceId: Types.ObjectId, environment: string, action: any) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })

backend/src/ee/helpers/log.ts

@@ -1,8 +1,8 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import { 
+    IAction,
     Log,
-    IAction
-} from '../models';
+} from "../models";
 
 /**
  * Create an (audit) log
@@ -21,7 +21,7 @@ const createLogHelper = async ({
     workspaceId,
     actions,
     channel,
-    ipAddress
+    ipAddress,
 }: {
     userId?: Types.ObjectId;
     serviceAccountId?: Types.ObjectId;
@@ -39,12 +39,12 @@ const createLogHelper = async ({
         actionNames: actions.map((a) => a.name),
         actions,
         channel,
-        ipAddress
+        ipAddress,
     }).save();
 
     return log;
 }
 
 export {
-    createLogHelper
+    createLogHelper,
 }

backend/src/ee/helpers/secret.ts

@@ -1,10 +1,10 @@
 import { Types } from "mongoose";
-import { Secret, ISecret } from "../../models";
+import { Secret } from "../../models";
 import {
+  FolderVersion,
+  ISecretVersion,
   SecretSnapshot,
   SecretVersion,
-  ISecretVersion,
-  FolderVersion,
 } from "../models";
 
 /**

backend/src/ee/middleware/index.ts

@@ -1,7 +1,7 @@
-import requireLicenseAuth from './requireLicenseAuth';
-import requireSecretSnapshotAuth from './requireSecretSnapshotAuth';
+import requireLicenseAuth from "./requireLicenseAuth";
+import requireSecretSnapshotAuth from "./requireSecretSnapshotAuth";
 
 export {
     requireLicenseAuth,
-    requireSecretSnapshotAuth
+    requireSecretSnapshotAuth,
 }

backend/src/ee/middleware/requireLicenseAuth.ts

@@ -1,4 +1,4 @@
-import { Request, Response, NextFunction } from 'express';
+import { NextFunction, Request, Response } from "express";
 
 /**
  * Validate if organization hosting meets license requirements to 
@@ -7,7 +7,7 @@ import { Request, Response, NextFunction } from 'express';
  * @param {String[]} obj.acceptedTiers
  */
 const requireLicenseAuth = ({
-    acceptedTiers
+    acceptedTiers,
 }: {
     acceptedTiers: string[];
 }) => {

backend/src/ee/middleware/requireSecretSnapshotAuth.ts

@@ -1,9 +1,9 @@
-import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError, SecretSnapshotNotFoundError } from '../../utils/errors';
-import { SecretSnapshot } from '../models';
+import { NextFunction, Request, Response } from "express";
+import { SecretSnapshotNotFoundError } from "../../utils/errors";
+import { SecretSnapshot } from "../models";
 import {
-    validateMembership
-} from '../../helpers/membership';
+    validateMembership,
+} from "../../helpers/membership";
 
 /**
  * Validate if user on request has proper membership for secret snapshot
@@ -15,7 +15,7 @@ import {
 const requireSecretSnapshotAuth = ({
     acceptedRoles,
 }: {
-    acceptedRoles: Array<'admin' | 'member'>;
+    acceptedRoles: Array<"admin" | "member">;
 }) => {
     return async (req: Request, res: Response, next: NextFunction) => {
         const { secretSnapshotId } = req.params;
@@ -24,14 +24,14 @@ const requireSecretSnapshotAuth = ({
         
         if (!secretSnapshot) {
             return next(SecretSnapshotNotFoundError({
-                message: 'Failed to find secret snapshot'
+                message: "Failed to find secret snapshot",
             }));
         }
         
         await validateMembership({
             userId: req.user._id,
             workspaceId: secretSnapshot.workspace,
-            acceptedRoles
+            acceptedRoles,
         });
         
         req.secretSnapshot = secretSnapshot as any;

backend/src/ee/models/action.ts

@@ -1,12 +1,12 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, Types, model } from "mongoose";
 import {
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
     ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
+    ACTION_UPDATE_SECRETS,
+} from "../../variables";
 
 export interface IAction {
     name: string;
@@ -30,42 +30,42 @@ const actionSchema = new Schema<IAction>(
                 ACTION_ADD_SECRETS,
                 ACTION_UPDATE_SECRETS,
                 ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
-            ]
+                ACTION_DELETE_SECRETS,
+            ],
         },
         user: {
             type: Schema.Types.ObjectId,
-            ref: 'User'
+            ref: "User",
         },
         serviceAccount: {
             type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
+            ref: "ServiceAccount",
         },
         serviceTokenData: {
             type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
+            ref: "ServiceTokenData",
         },
         workspace: {
             type: Schema.Types.ObjectId,
-            ref: 'Workspace'
+            ref: "Workspace",
         },
         payload: {
             secretVersions: [{
                 oldSecretVersion: {
                     type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
+                    ref: "SecretVersion",
                 },
                 newSecretVersion: {
                     type: Schema.Types.ObjectId,
-                    ref: 'SecretVersion'
-                }
-            }]
-        }
+                    ref: "SecretVersion",
+                },
+            }],
+        },
     }, {
-        timestamps: true
+        timestamps: true,
     }
 );
 
-const Action = model<IAction>('Action', actionSchema);
+const Action = model<IAction>("Action", actionSchema);
 
 export default Action;

backend/src/ee/models/folderVersion.ts

@@ -1,4 +1,4 @@
-import { model, Schema, Types } from "mongoose";
+import { Schema, Types, model } from "mongoose";
 
 export type TFolderRootVersionSchema = {
   _id: Types.ObjectId;

backend/src/ee/models/log.ts

@@ -1,12 +1,12 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, Types, model } from "mongoose";
 import {
+    ACTION_ADD_SECRETS,
+    ACTION_DELETE_SECRETS,
     ACTION_LOGIN,
     ACTION_LOGOUT,
-    ACTION_ADD_SECRETS,
-    ACTION_UPDATE_SECRETS,
     ACTION_READ_SECRETS,
-    ACTION_DELETE_SECRETS
-} from '../../variables';
+    ACTION_UPDATE_SECRETS,
+} from "../../variables";
 
 export interface ILog {
     _id: Types.ObjectId;
@@ -24,19 +24,19 @@ const logSchema = new Schema<ILog>(
     {
         user: {
             type: Schema.Types.ObjectId,
-            ref: 'User'
+            ref: "User",
         },
         serviceAccount: {
             type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
+            ref: "ServiceAccount",
         },
         serviceTokenData: {
             type: Schema.Types.ObjectId,
-            ref: 'ServiceTokenData'
+            ref: "ServiceTokenData",
         },
         workspace: {
             type: Schema.Types.ObjectId,
-            ref: 'Workspace'
+            ref: "Workspace",
         },
         actionNames: {
             type: [String],
@@ -46,28 +46,28 @@ const logSchema = new Schema<ILog>(
                 ACTION_ADD_SECRETS,
                 ACTION_UPDATE_SECRETS,
                 ACTION_READ_SECRETS,
-                ACTION_DELETE_SECRETS
+                ACTION_DELETE_SECRETS,
             ],
-            required: true
+            required: true,
         },
         actions: [{
             type: Schema.Types.ObjectId,
-            ref: 'Action',
-            required: true
+            ref: "Action",
+            required: true,
         }],
         channel: {
             type: String,
-            enum: ['web', 'cli', 'auto', 'k8-operator', 'other'],
-            required: true
+            enum: ["web", "cli", "auto", "k8-operator", "other"],
+            required: true,
         },
         ipAddress: {
-            type: String
-        }
+            type: String,
+        },
     }, {
-    timestamps: true
+    timestamps: true,
 }
 );
 
-const Log = model<ILog>('Log', logSchema);
+const Log = model<ILog>("Log", logSchema);
 
 export default Log;

backend/src/ee/models/secretSnapshot.ts

@@ -1,4 +1,4 @@
-import { Schema, model, Types } from "mongoose";
+import { Schema, Types, model } from "mongoose";
 
 export interface ISecretSnapshot {
   workspace: Types.ObjectId;

backend/src/ee/models/secretVersion.ts

@@ -1,10 +1,10 @@
-import { Schema, model, Types } from "mongoose";
+import { Schema, Types, model } from "mongoose";
 import {
-  SECRET_SHARED,
-  SECRET_PERSONAL,
   ALGORITHM_AES_256_GCM,
-  ENCODING_SCHEME_UTF8,
   ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8,
+  SECRET_PERSONAL,
+  SECRET_SHARED,
 } from "../../variables";
 
 export interface ISecretVersion {
@@ -114,9 +114,9 @@ const secretVersionSchema = new Schema<ISecretVersion>(
       required: true,
     },
     tags: {
-      ref: 'Tag',
+      ref: "Tag",
       type: [Schema.Types.ObjectId],
-      default: []
+      default: [],
     },
   },
   {

backend/src/ee/routes/v1/action.ts

@@ -1,15 +1,15 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-    validateRequest
-} from '../../../middleware';
-import { param } from 'express-validator';
-import { actionController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { param } from "express-validator";
+import { actionController } from "../../controllers/v1";
 
 // TODO: put into action controller
 router.get(
-    '/:actionId',
-    param('actionId').exists().trim(),
+    "/:actionId",
+    param("actionId").exists().trim(),
     validateRequest,
     actionController.getAction
 );

backend/src/ee/routes/v1/cloudProducts.ts

@@ -1,18 +1,18 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
     requireAuth,
-    validateRequest
-} from '../../../middleware';
-import { query } from 'express-validator';
-import { cloudProductsController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { query } from "express-validator";
+import { cloudProductsController } from "../../controllers/v1";
 
 router.get(
-    '/',
+    "/",
     requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt", "apiKey"],
 	}),
-    query('billing-cycle').exists().isIn(['monthly', 'yearly']),
+    query("billing-cycle").exists().isIn(["monthly", "yearly"]),
     validateRequest,
     cloudProductsController.getCloudProducts 
 );

backend/src/ee/routes/v1/index.ts

@@ -1,9 +1,9 @@
-import secret from './secret';
-import secretSnapshot from './secretSnapshot';
-import organizations from './organizations';
-import workspace from './workspace';
-import action from './action';
-import cloudProducts from './cloudProducts';
+import secret from "./secret";
+import secretSnapshot from "./secretSnapshot";
+import organizations from "./organizations";
+import workspace from "./workspace";
+import action from "./action";
+import cloudProducts from "./cloudProducts";
 
 export {
     secret,
@@ -11,5 +11,5 @@ export {
     organizations,
     workspace,
     action,
-    cloudProducts
+    cloudProducts,
 }

backend/src/ee/routes/v1/organizations.ts

@@ -1,87 +1,223 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
     requireAuth,
     requireOrganizationAuth,
-    validateRequest
-} from '../../../middleware';
-import { param, body } from 'express-validator';
-import { organizationsController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { body, param, query } from "express-validator";
+import { organizationsController } from "../../controllers/v1";
 import {
-    OWNER, ADMIN, MEMBER, ACCEPTED
-} from '../../../variables';
+    ACCEPTED, ADMIN, MEMBER, OWNER,
+} from "../../../variables";
 
 router.get(
-    '/:organizationId/plan',
+    "/:organizationId/plans/table",
     requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
     requireOrganizationAuth({
         acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
     }),
-    param('organizationId').exists().trim(),
+    param("organizationId").exists().trim(),
+    query("billingCycle").exists().isString().isIn(["monthly", "yearly"]),
+    validateRequest,
+    organizationsController.getOrganizationPlansTable
+);
+
+router.get(
+    "/:organizationId/plan",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    query("workspaceId").optional().isString(),
     validateRequest,
     organizationsController.getOrganizationPlan
 );
 
-router.patch(
-    '/:organizationId/plan',
+router.post(
+    "/:organizationId/session/trial",
     requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
     requireOrganizationAuth({
         acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
     }),
-    param('organizationId').exists().trim(),
-    body('productId').exists().isString(),
+    param("organizationId").exists().trim(),
+    body("success_url").exists().trim(),
     validateRequest,
-    organizationsController.updateOrganizationPlan
+    organizationsController.startOrganizationTrial
 );
 
 router.get(
-    '/:organizationId/billing-details/payment-methods',
+    "/:organizationId/plan/billing",
     requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
     requireOrganizationAuth({
         acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
     }),
-    param('organizationId').exists().trim(),
+    param("organizationId").exists().trim(),
+    query("workspaceId").optional().isString(),
+    validateRequest,
+    organizationsController.getOrganizationPlanBillingInfo
+);
+
+router.get(
+    "/:organizationId/plan/table",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    query("workspaceId").optional().isString(),
+    validateRequest,
+    organizationsController.getOrganizationPlanTable
+);
+
+router.get(
+    "/:organizationId/billing-details",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationBillingDetails
+);
+
+router.patch(
+    "/:organizationId/billing-details",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    body("email").optional().isString().trim(),
+    body("name").optional().isString().trim(),
+    validateRequest,
+    organizationsController.updateOrganizationBillingDetails
+);
+
+router.get(
+    "/:organizationId/billing-details/payment-methods",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
     validateRequest,
     organizationsController.getOrganizationPmtMethods
 );
 
 router.post(
-    '/:organizationId/billing-details/payment-methods',
+    "/:organizationId/billing-details/payment-methods",
     requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
     requireOrganizationAuth({
         acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
     }),
-    param('organizationId').exists().trim(),
-    body('success_url').exists().isString(),
-    body('cancel_url').exists().isString(),
+    param("organizationId").exists().trim(),
+    body("success_url").exists().isString(),
+    body("cancel_url").exists().isString(),
     validateRequest,
     organizationsController.addOrganizationPmtMethod
 );
 
 router.delete(
-    '/:organizationId/billing-details/payment-methods/:pmtMethodId',
+    "/:organizationId/billing-details/payment-methods/:pmtMethodId",
     requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt"],
 	}),
     requireOrganizationAuth({
         acceptedRoles: [OWNER, ADMIN, MEMBER],
-        acceptedStatuses: [ACCEPTED]
+        acceptedStatuses: [ACCEPTED],
     }),
-    param('organizationId').exists().trim(),
+    param("organizationId").exists().trim(),
+    param("pmtMethodId").exists().trim(),
     validateRequest,
     organizationsController.deleteOrganizationPmtMethod
 );
 
+router.get(
+    "/:organizationId/billing-details/tax-ids",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationTaxIds
+);
+
+router.post(
+    "/:organizationId/billing-details/tax-ids",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    body("type").exists().isString(),
+    body("value").exists().isString(),
+    validateRequest,
+    organizationsController.addOrganizationTaxId
+);
+
+router.delete(
+    "/:organizationId/billing-details/tax-ids/:taxId",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    param("taxId").exists().trim(),
+    validateRequest,
+    organizationsController.deleteOrganizationTaxId
+);
+
+router.get(
+    "/:organizationId/invoices",
+    requireAuth({
+		acceptedAuthModes: ["jwt"],
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED],
+    }),
+    param("organizationId").exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationInvoices
+);
+
 export default router;

backend/src/ee/routes/v1/secret.ts

@@ -1,46 +1,46 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
     requireAuth,
 	requireSecretAuth,
-    validateRequest
-} from '../../../middleware';
-import { query, param, body } from 'express-validator';
-import { secretController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { body, param, query } from "express-validator";
+import { secretController } from "../../controllers/v1";
 import {
 	ADMIN, 
 	MEMBER,
 	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS
-} from '../../../variables';
+	PERMISSION_WRITE_SECRETS,
+} from "../../../variables";
 
 router.get(
-	'/:secretId/secret-versions',
+	"/:secretId/secret-versions",
 	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt", "apiKey"],
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS]
+		requiredPermissions: [PERMISSION_READ_SECRETS],
 	}),
-	param('secretId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
+	param("secretId").exists().trim(),
+	query("offset").exists().isInt(),
+	query("limit").exists().isInt(),
 	validateRequest,
 	secretController.getSecretVersions
 );
 
 router.post(
-	'/:secretId/secret-versions/rollback',
+	"/:secretId/secret-versions/rollback",
 	requireAuth({
-		acceptedAuthModes: ['jwt', 'apiKey']
+		acceptedAuthModes: ["jwt", "apiKey"],
 	}),
 	requireSecretAuth({
 		acceptedRoles: [ADMIN, MEMBER],
-		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS]
+		requiredPermissions: [PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS],
 	}),
-	param('secretId').exists().trim(),
-	body('version').exists().isInt(),
+	param("secretId").exists().trim(),
+	body("version").exists().isInt(),
 	secretController.rollbackSecretVersion
 );
 

backend/src/ee/routes/v1/secretSnapshot.ts

@@ -1,25 +1,25 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-    requireSecretSnapshotAuth
-} from '../../middleware';
+    requireSecretSnapshotAuth,
+} from "../../middleware";
 import {
     requireAuth,
-    validateRequest
-} from '../../../middleware';
-import { param } from 'express-validator';
-import { ADMIN, MEMBER } from '../../../variables';
-import { secretSnapshotController } from '../../controllers/v1';
+    validateRequest,
+} from "../../../middleware";
+import { param } from "express-validator";
+import { ADMIN, MEMBER } from "../../../variables";
+import { secretSnapshotController } from "../../controllers/v1";
 
 router.get(
-    '/:secretSnapshotId',
+    "/:secretSnapshotId",
     requireAuth({
-		acceptedAuthModes: ['jwt']
+		acceptedAuthModes: ["jwt"],
 	}),
     requireSecretSnapshotAuth({
-        acceptedRoles: [ADMIN, MEMBER]
+        acceptedRoles: [ADMIN, MEMBER],
     }),
-    param('secretSnapshotId').exists().trim(),
+    param("secretSnapshotId").exists().trim(),
     validateRequest,
     secretSnapshotController.getSecretSnapshot
 );

backend/src/ee/routes/v1/stripe.ts

@@ -1,7 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import { stripeController } from '../../controllers/v1';
-
-router.post('/webhook', stripeController.handleWebhook);
-
-export default router;

backend/src/ee/routes/v1/workspace.ts

@@ -5,7 +5,7 @@ import {
   requireWorkspaceAuth,
   validateRequest,
 } from "../../../middleware";
-import { param, query, body } from "express-validator";
+import { body, param, query } from "express-validator";
 import { ADMIN, MEMBER } from "../../../variables";
 import { workspaceController } from "../../controllers/v1";
 

backend/src/ee/services/EELicenseService.ts

@@ -1,33 +1,38 @@
-import NodeCache from 'node-cache';
-import * as Sentry from '@sentry/node';
+import * as Sentry from "@sentry/node";
+import NodeCache from "node-cache";
 import { 
     getLicenseKey,
     getLicenseServerKey,
-    getLicenseServerUrl
-} from '../../config';
+    getLicenseServerUrl,
+} from "../../config";
 import { 
     licenseKeyRequest,
     licenseServerKeyRequest,
+    refreshLicenseKeyToken,
     refreshLicenseServerKeyToken,
-    refreshLicenseKeyToken
-} from '../../config/request';
-import { Organization } from '../../models';
-import { OrganizationNotFoundError } from '../../utils/errors';
+} from "../../config/request";
+import { Organization } from "../../models";
+import { OrganizationNotFoundError } from "../../utils/errors";
 
 interface FeatureSet {
     _id: string | null;
-    slug: 'starter' | 'team' | 'pro' | 'enterprise' | null;
+    slug: "starter" | "team" | "pro" | "enterprise" | null;
     tier: number;
     workspaceLimit: number | null;
     workspacesUsed: number;
     memberLimit: number | null;
     membersUsed: number;
+    environmentLimit: number | null;
+    environmentsUsed: number;
     secretVersioning: boolean;
     pitRecovery: boolean;
     rbac: boolean;
     customRateLimits: boolean;
     customAlerts: boolean;
     auditLogs: boolean;
+    status: 'incomplete' | 'incomplete_expired' | 'trialing' | 'active' | 'past_due' | 'canceled' | 'unpaid' | null;
+    trial_end: number | null;
+    has_used_trial: boolean;
 }
 
 /**
@@ -40,7 +45,7 @@ class EELicenseService {
     
     private readonly _isLicenseValid: boolean; // TODO: deprecate
 
-    public instanceType: 'self-hosted' | 'enterprise-self-hosted' | 'cloud' = 'self-hosted';
+    public instanceType: "self-hosted" | "enterprise-self-hosted" | "cloud" = "self-hosted";
 
     public globalFeatureSet: FeatureSet = {
         _id: null,
@@ -50,12 +55,17 @@ class EELicenseService {
         workspacesUsed: 0,
         memberLimit: null,
         membersUsed: 0,
+        environmentLimit: null,
+        environmentsUsed: 0,
         secretVersioning: true,
-        pitRecovery: true,
+        pitRecovery: false,
         rbac: true,
         customRateLimits: true,
         customAlerts: true,
-        auditLogs: false
+        auditLogs: false,
+        status: null,
+        trial_end: null,
+        has_used_trial: true
     }
 
     public localFeatureSet: NodeCache;
@@ -63,14 +73,14 @@ class EELicenseService {
     constructor() {
         this._isLicenseValid = true;
         this.localFeatureSet = new NodeCache({
-            stdTTL: 300
+            stdTTL: 60,
         });
     }
     
-    public async getOrganizationPlan(organizationId: string): Promise<FeatureSet> {
+    public async getPlan(organizationId: string, workspaceId?: string): Promise<FeatureSet> {
         try {
-            if (this.instanceType === 'cloud') {
-                const cachedPlan = this.localFeatureSet.get<FeatureSet>(organizationId);
+            if (this.instanceType === "cloud") {
+                const cachedPlan = this.localFeatureSet.get<FeatureSet>(`${organizationId}-${workspaceId ?? ""}`);
                 if (cachedPlan) {
                     return cachedPlan;
                 }
@@ -78,12 +88,16 @@ class EELicenseService {
                 const organization = await Organization.findById(organizationId);
                 if (!organization) throw OrganizationNotFoundError();
 
-                const { data: { currentPlan } } = await licenseServerKeyRequest.get(
-                    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`
-                );
+                let url = `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`;
+                
+                if (workspaceId) {
+                    url += `?workspaceId=${workspaceId}`;
+                }
+
+                const { data: { currentPlan } } = await licenseServerKeyRequest.get(url);
 
                 // cache fetched plan for organization
-                this.localFeatureSet.set(organizationId, currentPlan);
+                this.localFeatureSet.set(`${organizationId}-${workspaceId ?? ""}`, currentPlan);
 
                 return currentPlan;
             }
@@ -93,6 +107,19 @@ class EELicenseService {
 
         return this.globalFeatureSet;
     }
+    
+    public async refreshPlan(organizationId: string, workspaceId?: string) {
+        if (this.instanceType === "cloud") {
+            this.localFeatureSet.del(`${organizationId}-${workspaceId ?? ""}`);
+            await this.getPlan(organizationId, workspaceId);
+        }
+    }
+    
+    public async delPlan(organizationId: string) {
+        if (this.instanceType === "cloud") {
+            this.localFeatureSet.del(`${organizationId}-`);
+        }
+    }
 
     public async initGlobalFeatureSet() {
         const licenseServerKey = await getLicenseServerKey();
@@ -104,7 +131,7 @@ class EELicenseService {
                 const token = await refreshLicenseServerKeyToken()
                     
                 if (token) {
-                    this.instanceType = 'cloud';
+                    this.instanceType = "cloud";
                 }
                 
                 return;
@@ -120,7 +147,7 @@ class EELicenseService {
                     );
                     
                     this.globalFeatureSet = currentPlan;
-                    this.instanceType = 'enterprise-self-hosted';
+                    this.instanceType = "enterprise-self-hosted";
                 }
             }
         } catch (err) {
@@ -135,4 +162,4 @@ class EELicenseService {
     }
 }
 
-export default new EELicenseService();
+export default new EELicenseService();

backend/src/ee/services/EELogService.ts

@@ -1,14 +1,14 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import { 
-    IAction
-} from '../models';
+    IAction,
+} from "../models";
 import {
-    createLogHelper
-} from '../helpers/log';
+    createLogHelper,
+} from "../helpers/log";
 import {
-    createActionHelper
-} from '../helpers/action';
-import EELicenseService from './EELicenseService';
+    createActionHelper,
+} from "../helpers/action";
+import EELicenseService from "./EELicenseService";
 
 /**
  * Class to handle Enterprise Edition log actions
@@ -31,7 +31,7 @@ class EELogService {
         workspaceId,
         actions,
         channel,
-        ipAddress
+        ipAddress,
     }: {
         userId?: Types.ObjectId;
         serviceAccountId?: Types.ObjectId;
@@ -49,7 +49,7 @@ class EELogService {
             workspaceId,
             actions,
             channel,
-            ipAddress
+            ipAddress,
         })
     }
     
@@ -68,7 +68,7 @@ class EELogService {
         serviceAccountId,
         serviceTokenDataId,
         workspaceId,
-        secretIds
+        secretIds,
     }: {
         name: string;
         userId?: Types.ObjectId;
@@ -83,7 +83,7 @@ class EELogService {
             serviceAccountId,
             serviceTokenDataId,
             workspaceId,
-            secretIds
+            secretIds,
         });
     }
 }

backend/src/ee/services/EESecretService.ts

@@ -1,11 +1,11 @@
-import { Types } from 'mongoose';
-import { ISecretVersion } from '../models';
+import { Types } from "mongoose";
+import { ISecretVersion } from "../models";
 import {
-  takeSecretSnapshotHelper,
   addSecretVersionsHelper,
   markDeletedSecretVersionsHelper,
-} from '../helpers/secret';
-import EELicenseService from './EELicenseService';
+  takeSecretSnapshotHelper,
+} from "../helpers/secret";
+import EELicenseService from "./EELicenseService";
 
 /**
  * Class to handle Enterprise Edition secret actions

backend/src/ee/services/index.ts

@@ -5,5 +5,5 @@ import EELogService from "./EELogService";
 export {
     EELicenseService,
     EESecretService,
-    EELogService
+    EELogService,
 }

backend/src/events/index.ts

@@ -1,5 +1,5 @@
 import { eventPushSecrets } from "./secret"
 
 export {
-    eventPushSecrets
+    eventPushSecrets,
 }

backend/src/events/secret.ts

@@ -1,8 +1,8 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import { 
+    EVENT_PULL_SECRETS, 
     EVENT_PUSH_SECRETS, 
-    EVENT_PULL_SECRETS 
-} from '../variables';
+} from "../variables";
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -13,7 +13,7 @@ interface PushSecret {
 	ivValue: string;
 	tagValue: string;
 	hashValue: string;
-	type: 'shared' | 'personal';
+	type: "shared" | "personal";
 }
 
 /**
@@ -24,7 +24,7 @@ interface PushSecret {
  */
 const eventPushSecrets = ({
     workspaceId,
-    environment
+    environment,
 }: {
     workspaceId: Types.ObjectId;
     environment?: string;
@@ -35,7 +35,7 @@ const eventPushSecrets = ({
         environment,
         payload: {
 
-        }
+        },
     });
 }
 
@@ -55,10 +55,10 @@ const eventPullSecrets = ({
         workspaceId,
         payload: {
 
-        }
+        },
     });
 }
 
 export {
-    eventPushSecrets
+    eventPushSecrets,
 }

backend/src/helpers/auth.ts

@@ -1,77 +1,79 @@
-import { Types } from 'mongoose';
-import jwt from 'jsonwebtoken';
-import bcrypt from 'bcrypt';
+import { Types } from "mongoose";
+import jwt from "jsonwebtoken";
+import bcrypt from "bcrypt";
 import {
+	APIKeyData,
+	ITokenVersion,
 	IUser,
-	User,
-	ServiceTokenData,
 	ServiceAccount,
-	APIKeyData
-} from '../models';
+	ServiceTokenData,
+	TokenVersion,
+	User,
+} from "../models";
 import {
-	AccountNotFoundError,
-	ServiceTokenDataNotFoundError,
-	ServiceAccountNotFoundError,
 	APIKeyDataNotFoundError,
+	AccountNotFoundError,
+	BadRequestError,
+	ServiceAccountNotFoundError,
+	ServiceTokenDataNotFoundError,
 	UnauthorizedRequestError,
-	BadRequestError
-} from '../utils/errors';
+} from "../utils/errors";
 import {
 	getJwtAuthLifetime,
 	getJwtAuthSecret,
 	getJwtProviderAuthSecret,
 	getJwtRefreshLifetime,
-	getJwtRefreshSecret
-} from '../config';
+	getJwtRefreshSecret,
+} from "../config";
 import {
+	AUTH_MODE_API_KEY,
 	AUTH_MODE_JWT,
 	AUTH_MODE_SERVICE_ACCOUNT,
 	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
+} from "../variables";
 
 /**
  * 
  * @param {Object} obj
  * @param {Object} obj.headers - HTTP request headers object
  */
-const validateAuthMode = ({
+export const validateAuthMode = ({
 	headers,
-	acceptedAuthModes
+	acceptedAuthModes,
 }: {
 	headers: { [key: string]: string | string[] | undefined },
 	acceptedAuthModes: string[]
 }) => {
-	const apiKey = headers['x-api-key'];
-	const authHeader = headers['authorization'];
+	const apiKey = headers["x-api-key"];
+	const authHeader = headers["authorization"];
 
 	let authMode, authTokenValue;
 	if (apiKey === undefined && authHeader === undefined) {
 		// case: no auth or X-API-KEY header present
-		throw BadRequestError({ message: 'Missing Authorization or X-API-KEY in request header.' });
+		throw BadRequestError({ message: "Missing Authorization or X-API-KEY in request header." });
 	}
 
-	if (typeof apiKey === 'string') {
+	if (typeof apiKey === "string") {
 		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
 		authMode = AUTH_MODE_API_KEY;
 		authTokenValue = apiKey;
 	}
 
-	if (typeof authHeader === 'string') {
+	if (typeof authHeader === "string") {
 		// case: treat request authentication type as via Authorization header (i.e. either JWT or service token)
-		const [tokenType, tokenValue] = <[string, string]>authHeader.split(' ', 2) ?? [null, null]
+		const [tokenType, tokenValue] = <[string, string]>authHeader.split(" ", 2) ?? [null, null]
 		if (tokenType === null)
-			throw BadRequestError({ message: `Missing Authorization Header in the request header.` });
-		if (tokenType.toLowerCase() !== 'bearer')
+			throw BadRequestError({ message: "Missing Authorization Header in the request header." });
+		if (tokenType.toLowerCase() !== "bearer")
 			throw BadRequestError({ message: `The provided authentication type '${tokenType}' is not supported.` });
 		if (tokenValue === null)
-			throw BadRequestError({ message: 'Missing Authorization Body in the request header.' });
+			throw BadRequestError({ message: "Missing Authorization Body in the request header." });
 
-		switch (tokenValue.split('.', 1)[0]) {
-			case 'st':
+		switch (tokenValue.split(".", 1)[0]) {
+			case "st":
 				authMode = AUTH_MODE_SERVICE_TOKEN;
 				break;
-			case 'sa':
+			case "sa":
 				authMode = AUTH_MODE_SERVICE_ACCOUNT;
 				break;
 			default:
@@ -81,13 +83,13 @@ const validateAuthMode = ({
 		authTokenValue = tokenValue;
 	}
 
-	if (!authMode || !authTokenValue) throw BadRequestError({ message: 'Missing valid Authorization or X-API-KEY in request header.' });
+	if (!authMode || !authTokenValue) throw BadRequestError({ message: "Missing valid Authorization or X-API-KEY in request header." });
 
-	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: 'The provided authentication type is not supported.' });
+	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: "The provided authentication type is not supported." });
 
 	return ({
 		authMode,
-		authTokenValue
+		authTokenValue,
 	});
 }
 
@@ -97,8 +99,8 @@ const validateAuthMode = ({
  * @param {String} obj.authTokenValue - JWT token value
  * @returns {User} user - user corresponding to JWT token
  */
-const getAuthUserPayload = async ({
-	authTokenValue
+export const getAuthUserPayload = async ({
+	authTokenValue,
 }: {
 	authTokenValue: string;
 }) => {
@@ -107,14 +109,32 @@ const getAuthUserPayload = async ({
 	);
 
 	const user = await User.findOne({
-		_id: decodedToken.userId
-	}).select('+publicKey');
+		_id: new Types.ObjectId(decodedToken.userId),
+	}).select("+publicKey +accessVersion");
 
-	if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
+	if (!user) throw AccountNotFoundError({ message: "Failed to find user" });
 
-	if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
+	if (!user?.publicKey) throw UnauthorizedRequestError({ message: "Failed to authenticate user with partially set up account" });
 
-	return user;
+	const tokenVersion = await TokenVersion.findOneAndUpdate({
+		_id: new Types.ObjectId(decodedToken.tokenVersionId),
+		user: user._id,
+	}, {
+		lastUsed: new Date(),
+	});
+	
+	if (!tokenVersion) throw UnauthorizedRequestError({
+		message: "Failed to validate access token",
+	});
+	
+	if (decodedToken.accessVersion !== tokenVersion.accessVersion) throw UnauthorizedRequestError({
+		message: "Failed to validate access token",
+	});
+
+	return ({
+		user,
+		tokenVersionId: tokenVersion._id,
+	});
 }
 
 /**
@@ -123,42 +143,42 @@ const getAuthUserPayload = async ({
  * @param {String} obj.authTokenValue - service token value
  * @returns {ServiceTokenData} serviceTokenData - service token data
  */
-const getAuthSTDPayload = async ({
-	authTokenValue
+export const getAuthSTDPayload = async ({
+	authTokenValue,
 }: {
 	authTokenValue: string;
 }) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
 
 	let serviceTokenData = await ServiceTokenData
-		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
+		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt");
 
 	if (!serviceTokenData) {
-		throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+		throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });
 	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
 		// case: service token expired
 		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate expired service token'
+			message: "Failed to authenticate expired service token",
 		});
 	}
 
 	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
 	if (!isMatch) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate service token'
+		message: "Failed to authenticate service token",
 	});
 
 	serviceTokenData = await ServiceTokenData
 		.findOneAndUpdate({
-			_id: new Types.ObjectId(TOKEN_IDENTIFIER)
+			_id: new Types.ObjectId(TOKEN_IDENTIFIER),
 		}, {
-			lastUsed: new Date()
+			lastUsed: new Date(),
 		}, {
-			new: true
+			new: true,
 		})
-		.select('+encryptedKey +iv +tag');
+		.select("+encryptedKey +iv +tag");
 
-	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });
 
 	return serviceTokenData;
 }
@@ -169,24 +189,24 @@ const getAuthSTDPayload = async ({
  * @param {String} obj.authTokenValue - service account access token value
  * @returns {ServiceAccount} serviceAccount
  */
-const getAuthSAAKPayload = async ({
-	authTokenValue
+export const getAuthSAAKPayload = async ({
+	authTokenValue,
 }: {
 	authTokenValue: string;
 }) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
 
 	const serviceAccount = await ServiceAccount.findById(
-		Buffer.from(TOKEN_IDENTIFIER, 'base64').toString('hex')
-	).select('+secretHash');
+		Buffer.from(TOKEN_IDENTIFIER, "base64").toString("hex")
+	).select("+secretHash");
 
 	if (!serviceAccount) {
-		throw ServiceAccountNotFoundError({ message: 'Failed to find service account' });
+		throw ServiceAccountNotFoundError({ message: "Failed to find service account" });
 	}
 
 	const result = await bcrypt.compare(TOKEN_SECRET, serviceAccount.secretHash);
 	if (!result) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate service account access key'
+		message: "Failed to authenticate service account access key",
 	});
 
 	return serviceAccount;
@@ -198,49 +218,49 @@ const getAuthSAAKPayload = async ({
  * @param {String} obj.authTokenValue - API key value
  * @returns {APIKeyData} apiKeyData - API key data
  */
-const getAuthAPIKeyPayload = async ({
-	authTokenValue
+export const getAuthAPIKeyPayload = async ({
+	authTokenValue,
 }: {
 	authTokenValue: string;
 }) => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
 
 	let apiKeyData = await APIKeyData
-		.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
-		.populate<{ user: IUser }>('user', '+publicKey');
+		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
+		.populate<{ user: IUser }>("user", "+publicKey");
 
 	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+		throw APIKeyDataNotFoundError({ message: "Failed to find API key data" });
 	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
 		// case: API key expired
 		await APIKeyData.findByIdAndDelete(apiKeyData._id);
 		throw UnauthorizedRequestError({
-			message: 'Failed to authenticate expired API key'
+			message: "Failed to authenticate expired API key",
 		});
 	}
 
 	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
 	if (!isMatch) throw UnauthorizedRequestError({
-		message: 'Failed to authenticate API key'
+		message: "Failed to authenticate API key",
 	});
 
 	apiKeyData = await APIKeyData.findOneAndUpdate({
-		_id: new Types.ObjectId(TOKEN_IDENTIFIER)
+		_id: new Types.ObjectId(TOKEN_IDENTIFIER),
 	}, {
-		lastUsed: new Date()
+		lastUsed: new Date(),
 	}, {
-		new: true
+		new: true,
 	});
 
 	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+		throw APIKeyDataNotFoundError({ message: "Failed to find API key data" });
 	}
 
-	const user = await User.findById(apiKeyData.user).select('+publicKey');
+	const user = await User.findById(apiKeyData.user).select("+publicKey");
 
 	if (!user) {
 		throw AccountNotFoundError({
-			message: 'Failed to find user'
+			message: "Failed to find user",
 		});
 	}
 
@@ -255,28 +275,61 @@ const getAuthAPIKeyPayload = async ({
  * @return {String} obj.token - issued JWT token
  * @return {String} obj.refreshToken - issued refresh token
  */
-const issueAuthTokens = async ({ userId }: { userId: string }) => {
+export const issueAuthTokens = async ({ 
+	userId,
+	ip,
+	userAgent,
+}: { 
+	userId: Types.ObjectId;
+	ip: string;
+	userAgent: string;
+}) => {
+	let tokenVersion: ITokenVersion | null;
+
+	// continue with (session) token version matching existing ip and user agent
+	tokenVersion = await TokenVersion.findOne({
+		user: userId,
+		ip,
+		userAgent,
+	});
+	
+	if (!tokenVersion) {
+		// case: no existing ip and user agent exists
+		// -> create new (session) token version for ip and user agent
+		tokenVersion = await new TokenVersion({
+			user: userId,
+			refreshVersion: 0,
+			accessVersion: 0,
+			ip,
+			userAgent,
+			lastUsed: new Date(),
+		}).save();
+	}
 
 	// issue tokens
 	const token = createToken({
 		payload: {
-			userId
+			userId,
+			tokenVersionId: tokenVersion._id.toString(),
+			accessVersion: tokenVersion.accessVersion,
 		},
 		expiresIn: await getJwtAuthLifetime(),
-		secret: await getJwtAuthSecret()
+		secret: await getJwtAuthSecret(),
 	});
 
 	const refreshToken = createToken({
 		payload: {
-			userId
+			userId,
+			tokenVersionId: tokenVersion._id.toString(),
+			refreshVersion: tokenVersion.refreshVersion,
 		},
 		expiresIn: await getJwtRefreshLifetime(),
-		secret: await getJwtRefreshSecret()
+		secret: await getJwtRefreshSecret(),
 	});
 
 	return {
 		token,
-		refreshToken
+		refreshToken,
 	};
 };
 
@@ -285,14 +338,16 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
  * @param {Object} obj
  * @param {String} obj.userId - id of user whose tokens are cleared.
  */
-const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
+export const clearTokens = async (tokenVersionId: Types.ObjectId): Promise<void> => {
 	// increment refreshVersion on user by 1
-	User.findOneAndUpdate({
-		_id: userId
+
+	await TokenVersion.findOneAndUpdate({
+		_id: tokenVersionId,
 	}, {
 		$inc: {
-			refreshVersion: 1
-		}
+			refreshVersion: 1,
+			accessVersion: 1,
+		},
 	});
 };
 
@@ -304,21 +359,21 @@ const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
  * @param {String} obj.secret - (JWT) secret such as [JWT_AUTH_SECRET]
  * @param {String} obj.expiresIn - string describing time span such as '10h' or '7d'
  */
-const createToken = ({
+export const createToken = ({
 	payload,
 	expiresIn,
-	secret
+	secret,
 }: {
 	payload: any;
 	expiresIn: string | number;
 	secret: string;
 }) => {
 	return jwt.sign(payload, secret, {
-		expiresIn
+		expiresIn,
 	});
 };
 
-const validateProviderAuthToken = async ({
+export const validateProviderAuthToken = async ({
 	email,
 	user,
 	providerAuthToken,
@@ -328,7 +383,7 @@ const validateProviderAuthToken = async ({
 	providerAuthToken?: string;
 }) => {
 	if (!providerAuthToken) {
-		throw new Error('Invalid authentication request.');
+		throw new Error("Invalid authentication request.");
 	}
 
 	const decodedToken = <jwt.ProviderAuthJwtPayload>(
@@ -339,18 +394,6 @@ const validateProviderAuthToken = async ({
 		decodedToken.authProvider !== user.authProvider ||
 		decodedToken.email !== email
 	) {
-		throw new Error('Invalid authentication credentials.')
+		throw new Error("Invalid authentication credentials.")
 	}
-}
-
-export {
-	validateAuthMode,
-	validateProviderAuthToken,
-	getAuthUserPayload,
-	getAuthSTDPayload,
-	getAuthSAAKPayload,
-	getAuthAPIKeyPayload,
-	createToken,
-	issueAuthTokens,
-	clearTokens
-};
+}

backend/src/helpers/bot.ts

@@ -1,29 +1,21 @@
 import { Types } from "mongoose";
+import { Bot, BotKey, ISecret, IUser, Secret } from "../models";
 import {
-  Bot,
-  BotKey,
-  Secret,
-  ISecret,
-  IUser
-} from "../models";
-import {
-  generateKeyPair,
-  encryptSymmetric128BitHexKeyUTF8,
+  decryptAsymmetric,
   decryptSymmetric128BitHexKeyUTF8,
-  decryptAsymmetric
-} from '../utils/crypto';
+  encryptSymmetric128BitHexKeyUTF8,
+  generateKeyPair,
+} from "../utils/crypto";
 import {
-  SECRET_SHARED,
   ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
   ENCODING_SCHEME_UTF8,
-  ENCODING_SCHEME_BASE64
+  SECRET_SHARED,
 } from "../variables";
-import { 
-  getEncryptionKey, 
-  getRootEncryptionKey,
-  client
-} from "../config";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../config";
 import { InternalServerError } from "../utils/errors";
+import Folder from "../models/folder";
+import { getFolderByPath } from "../services/FolderService";
 
 /**
  * Create an inactive bot with name [name] for workspace with id [workspaceId]
@@ -31,7 +23,7 @@ import { InternalServerError } from "../utils/errors";
  * @param {String} obj.name - name of bot
  * @param {String} obj.workspaceId - id of workspace that bot belongs to
  */
-const createBot = async ({
+export const createBot = async ({
   name,
   workspaceId,
 }: {
@@ -40,15 +32,14 @@ const createBot = async ({
 }) => {
   const encryptionKey = await getEncryptionKey();
   const rootEncryptionKey = await getRootEncryptionKey();
-  
+
   const { publicKey, privateKey } = generateKeyPair();
-  
+
   if (rootEncryptionKey) {
-    const { 
-      ciphertext, 
-      iv, 
-      tag 
-    } = client.encryptSymmetric(privateKey, rootEncryptionKey);
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      privateKey,
+      rootEncryptionKey
+    );
 
     return await new Bot({
       name,
@@ -59,9 +50,8 @@ const createBot = async ({
       iv,
       tag,
       algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_BASE64
+      keyEncoding: ENCODING_SCHEME_BASE64,
     }).save();
-  
   } else if (encryptionKey) {
     const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
       plaintext: privateKey,
@@ -77,15 +67,27 @@ const createBot = async ({
       iv,
       tag,
       algorithm: ALGORITHM_AES_256_GCM,
-      keyEncoding: ENCODING_SCHEME_UTF8
+      keyEncoding: ENCODING_SCHEME_UTF8,
     }).save();
   }
 
   throw InternalServerError({
-    message: 'Failed to create new bot due to missing encryption key'
+    message: "Failed to create new bot due to missing encryption key",
   });
 };
 
+/**
+ * Return whether or not workspace with id [workspaceId] is end-to-end encrypted
+ * @param {Types.ObjectId} workspaceId - id of workspace to check
+ */
+export const getIsWorkspaceE2EEHelper = async (workspaceId: Types.ObjectId) => {
+  const botKey = await BotKey.exists({
+    workspace: workspaceId,
+  });
+
+  return botKey ? false : true;
+};
+
 /**
  * Return decrypted secrets for workspace with id [workspaceId]
  * and [environment] using bot
@@ -93,19 +95,41 @@ const createBot = async ({
  * @param {String} obj.workspaceId - id of workspace
  * @param {String} obj.environment - environment
  */
-const getSecretsHelper = async ({
+export const getSecretsBotHelper = async ({
   workspaceId,
   environment,
+  secretPath,
 }: {
   workspaceId: Types.ObjectId;
   environment: string;
+  secretPath: string;
 }) => {
   const content = {} as any;
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
+
+  let folderId = "root";
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  });
+
+  if (!folders && secretPath !== "/") {
+    throw InternalServerError({ message: "Folder not found" });
+  }
+
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw InternalServerError({ message: "Folder not found" });
+    }
+    folderId = folder.id;
+  }
+
   const secrets = await Secret.find({
     workspace: workspaceId,
     environment,
     type: SECRET_SHARED,
+    folder: folderId,
   });
 
   secrets.forEach((secret: ISecret) => {
@@ -136,14 +160,17 @@ const getSecretsHelper = async ({
  * @param {String} obj.workspaceId - id of workspace
  * @returns {String} key - decrypted workspace key
  */
-const getKey = async ({ workspaceId }: { workspaceId: string }) => {
+export const getKey = async ({
+  workspaceId,
+}: {
+  workspaceId: Types.ObjectId;
+}) => {
   const encryptionKey = await getEncryptionKey();
   const rootEncryptionKey = await getRootEncryptionKey();
 
   const botKey = await BotKey.findOne({
     workspace: workspaceId,
-  })
-  .populate<{ sender: IUser }>("sender", "publicKey");
+  }).populate<{ sender: IUser }>("sender", "publicKey");
 
   if (!botKey) throw new Error("Failed to find bot key");
 
@@ -156,7 +183,12 @@ const getKey = async ({ workspaceId }: { workspaceId: string }) => {
 
   if (rootEncryptionKey && bot.keyEncoding === ENCODING_SCHEME_BASE64) {
     // case: encoding scheme is base64
-    const privateKeyBot = client.decryptSymmetric(bot.encryptedPrivateKey, rootEncryptionKey, bot.iv, bot.tag);
+    const privateKeyBot = client.decryptSymmetric(
+      bot.encryptedPrivateKey,
+      rootEncryptionKey,
+      bot.iv,
+      bot.tag
+    );
 
     return decryptAsymmetric({
       ciphertext: botKey.encryptedKey,
@@ -165,15 +197,14 @@ const getKey = async ({ workspaceId }: { workspaceId: string }) => {
       privateKey: privateKeyBot,
     });
   } else if (encryptionKey && bot.keyEncoding === ENCODING_SCHEME_UTF8) {
-    
     // case: encoding scheme is utf8
     const privateKeyBot = decryptSymmetric128BitHexKeyUTF8({
       ciphertext: bot.encryptedPrivateKey,
       iv: bot.iv,
       tag: bot.tag,
-      key: encryptionKey
+      key: encryptionKey,
     });
-    
+
     return decryptAsymmetric({
       ciphertext: botKey.encryptedKey,
       nonce: botKey.nonce,
@@ -183,7 +214,8 @@ const getKey = async ({ workspaceId }: { workspaceId: string }) => {
   }
 
   throw InternalServerError({
-    message: "Failed to obtain bot's copy of workspace key needed for bot operations"
+    message:
+      "Failed to obtain bot's copy of workspace key needed for bot operations",
   });
 };
 
@@ -194,14 +226,14 @@ const getKey = async ({ workspaceId }: { workspaceId: string }) => {
  * @param {String} obj1.workspaceId - id of workspace
  * @param {String} obj1.plaintext - plaintext to encrypt
  */
-const encryptSymmetricHelper = async ({
+export const encryptSymmetricHelper = async ({
   workspaceId,
   plaintext,
 }: {
   workspaceId: Types.ObjectId;
   plaintext: string;
 }) => {
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
   const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
     plaintext,
     key,
@@ -222,7 +254,7 @@ const encryptSymmetricHelper = async ({
  * @param {String} obj.iv - iv
  * @param {String} obj.tag - tag
  */
-const decryptSymmetricHelper = async ({
+export const decryptSymmetricHelper = async ({
   workspaceId,
   ciphertext,
   iv,
@@ -233,7 +265,7 @@ const decryptSymmetricHelper = async ({
   iv: string;
   tag: string;
 }) => {
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
   const plaintext = decryptSymmetric128BitHexKeyUTF8({
     ciphertext,
     iv,
@@ -243,10 +275,3 @@ const decryptSymmetricHelper = async ({
 
   return plaintext;
 };
-
-export {
-  createBot,
-  getSecretsHelper,
-  encryptSymmetricHelper,
-  decryptSymmetricHelper
-};

backend/src/helpers/database.ts

@@ -1,5 +1,5 @@
-import mongoose from 'mongoose';
-import { getLogger } from '../utils/logger';
+import mongoose from "mongoose";
+import { getLogger } from "../utils/logger";
 
 /**
  * Initialize database connection
@@ -7,8 +7,8 @@ import { getLogger } from '../utils/logger';
  * @param {String} obj.mongoURL - mongo connection string
  * @returns 
  */
-const initDatabaseHelper = async ({
-    mongoURL
+export const initDatabaseHelper = async ({
+    mongoURL,
 }: {
     mongoURL: string;
 }) => {
@@ -16,7 +16,7 @@ const initDatabaseHelper = async ({
         await mongoose.connect(mongoURL);
     
         // allow empty strings to pass the required validator
-        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');
+        mongoose.Schema.Types.String.checkRequired(v => typeof v === "string");
 
         (await getLogger("database")).info("Database connection established");
 
@@ -30,20 +30,15 @@ const initDatabaseHelper = async ({
 /**
  * Close database conection
  */
-const closeDatabaseHelper = async () => {
+export const closeDatabaseHelper = async () => {
     return Promise.all([
         new Promise((resolve) => {
             if (mongoose.connection && mongoose.connection.readyState == 1) {
             mongoose.connection.close()
-                .then(() => resolve('Database connection closed'));
+                .then(() => resolve("Database connection closed"));
             } else {
-            resolve('Database connection already closed');
+            resolve("Database connection already closed");
             }
-        })
+        }),
     ]);
-}
-
-export {
-    initDatabaseHelper,
-    closeDatabaseHelper
 }

backend/src/helpers/event.ts

@@ -1,5 +1,5 @@
 import { Types } from "mongoose";
-import { Bot, IBot } from "../models";
+import { Bot } from "../models";
 import { EVENT_PUSH_SECRETS } from "../variables";
 import { IntegrationService } from "../services";
 
@@ -18,7 +18,7 @@ interface Event {
  * @param {String} obj.event.workspaceId - id of workspace that event is part of
  * @param {Object} obj.event.payload - payload of event (depends on event)
  */
-const handleEventHelper = async ({ event }: { event: Event }) => {
+export const handleEventHelper = async ({ event }: { event: Event }) => {
   const { workspaceId, environment } = event;
 
   // TODO: moduralize bot check into separate function
@@ -37,6 +37,4 @@ const handleEventHelper = async ({ event }: { event: Event }) => {
       });
       break;
   }
-};
-
-export { handleEventHelper };
+};

backend/src/helpers/index.ts

@@ -0,0 +1,17 @@
+export * from "./auth";
+export * from "./bot";
+export * from "./database";
+export * from "./event";
+export * from "./integration";
+export * from "./key";
+export * from "./membership";
+export * from "./membershipOrg";
+export * from "./nodemailer";
+export * from "./organization";
+export * from "./rateLimiter";
+export * from "./secret";
+export * from "./secrets";
+export * from "./signup";
+export * from "./token";
+export * from "./user";
+export * from "./workspace";

backend/src/helpers/integration.ts

@@ -1,28 +1,20 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
+import { Bot, Integration, IntegrationAuth } from "../models";
+import { exchangeCode, exchangeRefresh, syncSecrets } from "../integrations";
+import { BotService } from "../services";
 import {
-    Bot,
-    Integration,
-    IntegrationAuth
-} from '../models';
-import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
-import { BotService } from '../services';
-import {
-    INTEGRATION_VERCEL,
-    INTEGRATION_NETLIFY,
-    ALGORITHM_AES_256_GCM,
-    ENCODING_SCHEME_UTF8
-} from '../variables';
-import { 
-    UnauthorizedRequestError,
-} from '../utils/errors';
-import RequestError from '../utils/requestError';
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_VERCEL,
+} from "../variables";
+import { UnauthorizedRequestError } from "../utils/errors";
 
 interface Update {
-    workspace: string;
-    integration: string;
-    teamId?: string;
-    accountId?: string;
+  workspace: string;
+  integration: string;
+  teamId?: string;
+  accountId?: string;
 }
 
 /**
@@ -33,141 +25,138 @@ interface Update {
  * - Create bot sequence for integration
  * @param {Object} obj
  * @param {String} obj.workspaceId - id of workspace
- * @param {String} obj.integration - name of integration 
+ * @param {String} obj.integration - name of integration
  * @param {String} obj.code - code
  * @returns {IntegrationAuth} integrationAuth - integration auth after OAuth2 code-token exchange
-*/
-const handleOAuthExchangeHelper = async ({
-    workspaceId,
+ */
+export const handleOAuthExchangeHelper = async ({
+  workspaceId,
+  integration,
+  code,
+  environment,
+}: {
+  workspaceId: string;
+  integration: string;
+  code: string;
+  environment: string;
+}) => {
+  const bot = await Bot.findOne({
+    workspace: workspaceId,
+    isActive: true,
+  });
+
+  if (!bot)
+    throw new Error("Bot must be enabled for OAuth2 code-token exchange");
+
+  // exchange code for access and refresh tokens
+  const res = await exchangeCode({
     integration,
     code,
-    environment
-}: {
-    workspaceId: string;
-    integration: string;
-    code: string;
-    environment: string;
-}) => {
-    let integrationAuth;
-    try {
-        const bot = await Bot.findOne({
-            workspace: workspaceId,
-            isActive: true
-        });
-        
-        if (!bot) throw new Error('Bot must be enabled for OAuth2 code-token exchange');
-        
-        // exchange code for access and refresh tokens
-        const res = await exchangeCode({
-            integration,
-            code
-        });
-        
-        const update: Update = {
-            workspace: workspaceId,
-            integration
-        }
-        
-        switch (integration) {
-            case INTEGRATION_VERCEL:
-                update.teamId = res.teamId;
-                break;
-            case INTEGRATION_NETLIFY:
-                update.accountId = res.accountId;
-                break;
-        }
-        
-        integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            workspace: workspaceId,
-            integration
-        }, update, {
-            new: true,
-            upsert: true
-        });
-        
-        if (res.refreshToken) {
-            // case: refresh token returned from exchange
-            // set integration auth refresh token
-            await setIntegrationAuthRefreshHelper({
-                integrationAuthId: integrationAuth._id.toString(),
-                refreshToken: res.refreshToken
-            });
-        }
-        
-        if (res.accessToken) {
-            // case: access token returned from exchange
-            // set integration auth access token
-            await setIntegrationAuthAccessHelper({
-                integrationAuthId: integrationAuth._id.toString(),
-                accessId: null,
-                accessToken: res.accessToken,
-                accessExpiresAt: res.accessExpiresAt
-            });
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to handle OAuth2 code-token exchange')
+  });
+
+  const update: Update = {
+    workspace: workspaceId,
+    integration,
+  };
+
+  switch (integration) {
+    case INTEGRATION_VERCEL:
+      update.teamId = res.teamId;
+      break;
+    case INTEGRATION_NETLIFY:
+      update.accountId = res.accountId;
+      break;
+  }
+
+  const integrationAuth = await IntegrationAuth.findOneAndUpdate(
+    {
+      workspace: workspaceId,
+      integration,
+    },
+    update,
+    {
+      new: true,
+      upsert: true,
     }
-    
-    return integrationAuth;
-}
+  );
+
+  if (res.refreshToken) {
+    // case: refresh token returned from exchange
+    // set integration auth refresh token
+    await setIntegrationAuthRefreshHelper({
+      integrationAuthId: integrationAuth._id.toString(),
+      refreshToken: res.refreshToken,
+    });
+  }
+
+  if (res.accessToken) {
+    // case: access token returned from exchange
+    // set integration auth access token
+    await setIntegrationAuthAccessHelper({
+      integrationAuthId: integrationAuth._id.toString(),
+      accessId: null,
+      accessToken: res.accessToken,
+      accessExpiresAt: res.accessExpiresAt,
+    });
+  }
+
+  return integrationAuth;
+};
 /**
  * Sync/push environment variables in workspace with id [workspaceId] to
  * all active integrations for that workspace
  * @param {Object} obj
  * @param {Object} obj.workspaceId - id of workspace
  */
-const syncIntegrationsHelper = async ({
-    workspaceId,
-    environment
+export const syncIntegrationsHelper = async ({
+  workspaceId,
+  environment,
 }: {
-    workspaceId: Types.ObjectId;
-    environment?: string;
+  workspaceId: Types.ObjectId;
+  environment?: string;
 }) => {
-    let integrations;
-    try {
-        integrations = await Integration.find({
-            workspace: workspaceId,
-            ...(environment ? {
-                environment
-            } : {}),
-            isActive: true,
-            app: { $ne: null }
-        });
-
-        // for each workspace integration, sync/push secrets
-        // to that integration
-        for await (const integration of integrations) {
-            // get workspace, environment (shared) secrets
-            const secrets = await BotService.getSecrets({ // issue here?
-                workspaceId: integration.workspace,
-                environment: integration.environment
-            });
-
-            const integrationAuth = await IntegrationAuth.findById(integration.integrationAuth);
-            if (!integrationAuth) throw new Error('Failed to find integration auth');
-            
-            // get integration auth access token
-            const access = await getIntegrationAuthAccessHelper({
-                integrationAuthId: integration.integrationAuth
-            });
-
-            // sync secrets to integration
-            await syncSecrets({
-                integration,
-                integrationAuth,
-                secrets,
-                accessId: access.accessId === undefined ? null : access.accessId,
-                accessToken: access.accessToken
-            });
+  const integrations = await Integration.find({
+    workspace: workspaceId,
+    ...(environment
+      ? {
+          environment,
         }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to sync secrets to integrations');
-    }
-}
+      : {}),
+    isActive: true,
+    app: { $ne: null },
+  });
+
+  // for each workspace integration, sync/push secrets
+  // to that integration
+  for await (const integration of integrations) {
+    // get workspace, environment (shared) secrets
+    const secrets = await BotService.getSecrets({
+      // issue here?
+      workspaceId: integration.workspace,
+      environment: integration.environment,
+      secretPath: integration.secretPath,
+    });
+
+    const integrationAuth = await IntegrationAuth.findById(
+      integration.integrationAuth
+    );
+    if (!integrationAuth) throw new Error("Failed to find integration auth");
+
+    // get integration auth access token
+    const access = await getIntegrationAuthAccessHelper({
+      integrationAuthId: integration.integrationAuth,
+    });
+
+    // sync secrets to integration
+    await syncSecrets({
+      integration,
+      integrationAuth,
+      secrets,
+      accessId: access.accessId === undefined ? null : access.accessId,
+      accessToken: access.accessToken,
+    });
+  }
+};
 
 /**
  * Return decrypted refresh token using the bot's copy
@@ -177,34 +166,29 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} refreshToken - decrypted refresh token
  */
- const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
-    let refreshToken;
-	
-    try {
-        const integrationAuth = await IntegrationAuth
-            .findById(integrationAuthId)
-            .select('+refreshCiphertext +refreshIV +refreshTag');
+export const getIntegrationAuthRefreshHelper = async ({
+  integrationAuthId,
+}: {
+  integrationAuthId: Types.ObjectId;
+}) => {
+  const integrationAuth = await IntegrationAuth.findById(
+    integrationAuthId
+  ).select("+refreshCiphertext +refreshIV +refreshTag");
 
-        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
+  if (!integrationAuth)
+    throw UnauthorizedRequestError({
+      message: "Failed to locate Integration Authentication credentials",
+    });
 
-        refreshToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace,
-            ciphertext: integrationAuth.refreshCiphertext as string,
-            iv: integrationAuth.refreshIV as string,
-            tag: integrationAuth.refreshTag as string
-        });
+  const refreshToken = await BotService.decryptSymmetric({
+    workspaceId: integrationAuth.workspace,
+    ciphertext: integrationAuth.refreshCiphertext as string,
+    iv: integrationAuth.refreshIV as string,
+    tag: integrationAuth.refreshTag as string,
+  });
 
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        if(err instanceof RequestError)
-            throw err
-        else
-            throw new Error('Failed to get integration refresh token');
-    }
-    
-    return refreshToken;
-}
+  return refreshToken;
+};
 
 /**
  * Return decrypted access token using the bot's copy
@@ -214,60 +198,65 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @returns {String} accessToken - decrypted access token
  */
-const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
-    let accessId;
-    let accessToken;
-    try {
-        const integrationAuth = await IntegrationAuth
-            .findById(integrationAuthId)
-            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag');
+export const getIntegrationAuthAccessHelper = async ({
+  integrationAuthId,
+}: {
+  integrationAuthId: Types.ObjectId;
+}) => {
+  let accessId;
+  let accessToken;
+  const integrationAuth = await IntegrationAuth.findById(
+    integrationAuthId
+  ).select(
+    "workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag"
+  );
 
-        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
-
-        accessToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace,
-            ciphertext: integrationAuth.accessCiphertext as string,
-            iv: integrationAuth.accessIV as string,
-            tag: integrationAuth.accessTag as string
-        });
-
-        if (integrationAuth?.accessExpiresAt && integrationAuth?.refreshCiphertext) {
-            // there is a access token expiration date
-            // and refresh token to exchange with the OAuth2 server
-            
-            if (integrationAuth.accessExpiresAt < new Date()) {
-                // access token is expired
-                const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
-                accessToken = await exchangeRefresh({
-                    integrationAuth,
-                    refreshToken
-                });
-            }
-        }
-        
-        if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
-            accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace,
-                ciphertext: integrationAuth.accessIdCiphertext as string,
-                iv: integrationAuth.accessIdIV as string,
-                tag: integrationAuth.accessIdTag as string
-            });
-        }
-
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        if(err instanceof RequestError)
-            throw err
-        else
-            throw new Error('Failed to get integration access token');
-    }
-    
-    return ({
-        accessId,
-        accessToken
+  if (!integrationAuth)
+    throw UnauthorizedRequestError({
+      message: "Failed to locate Integration Authentication credentials",
     });
-}
+
+  accessToken = await BotService.decryptSymmetric({
+    workspaceId: integrationAuth.workspace,
+    ciphertext: integrationAuth.accessCiphertext as string,
+    iv: integrationAuth.accessIV as string,
+    tag: integrationAuth.accessTag as string,
+  });
+
+  if (integrationAuth?.accessExpiresAt && integrationAuth?.refreshCiphertext) {
+    // there is a access token expiration date
+    // and refresh token to exchange with the OAuth2 server
+
+    if (integrationAuth.accessExpiresAt < new Date()) {
+      // access token is expired
+      const refreshToken = await getIntegrationAuthRefreshHelper({
+        integrationAuthId,
+      });
+      accessToken = await exchangeRefresh({
+        integrationAuth,
+        refreshToken,
+      });
+    }
+  }
+
+  if (
+    integrationAuth?.accessIdCiphertext &&
+    integrationAuth?.accessIdIV &&
+    integrationAuth?.accessIdTag
+  ) {
+    accessId = await BotService.decryptSymmetric({
+      workspaceId: integrationAuth.workspace,
+      ciphertext: integrationAuth.accessIdCiphertext as string,
+      iv: integrationAuth.accessIdIV as string,
+      tag: integrationAuth.accessIdTag as string,
+    });
+  }
+
+  return {
+    accessId,
+    accessToken,
+  };
+};
 
 /**
  * Encrypt refresh token [refreshToken] using the bot's copy
@@ -277,114 +266,97 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} obj.refreshToken - refresh token
  */
-const setIntegrationAuthRefreshHelper = async ({
-    integrationAuthId,
-    refreshToken
+export const setIntegrationAuthRefreshHelper = async ({
+  integrationAuthId,
+  refreshToken,
 }: {
-    integrationAuthId: string;
-    refreshToken: string;
+  integrationAuthId: string;
+  refreshToken: string;
 }) => {
-    
-    let integrationAuth;
-    try {
-        integrationAuth = await IntegrationAuth
-            .findById(integrationAuthId);
-        
-        if (!integrationAuth) throw new Error('Failed to find integration auth');
-        
-        const obj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace,
-            plaintext: refreshToken
-        });
-        
-        integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            _id: integrationAuthId
-        }, {
-            refreshCiphertext: obj.ciphertext,
-            refreshIV: obj.iv,
-            refreshTag: obj.tag,
-            algorithm: ALGORITHM_AES_256_GCM,
-            keyEncoding: ENCODING_SCHEME_UTF8
-        }, {
-            new: true
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to set integration auth refresh token');
+  let integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+
+  if (!integrationAuth) throw new Error("Failed to find integration auth");
+
+  const obj = await BotService.encryptSymmetric({
+    workspaceId: integrationAuth.workspace,
+    plaintext: refreshToken,
+  });
+
+  integrationAuth = await IntegrationAuth.findOneAndUpdate(
+    {
+      _id: integrationAuthId,
+    },
+    {
+      refreshCiphertext: obj.ciphertext,
+      refreshIV: obj.iv,
+      refreshTag: obj.tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8,
+    },
+    {
+      new: true,
     }
-    
-    return integrationAuth;
-}
+  );
+
+  return integrationAuth;
+};
 
 /**
  * Encrypt access token [accessToken] and (optionally) access id [accessId]
- * using the bot's copy of the workspace key for workspace belonging to 
+ * using the bot's copy of the workspace key for workspace belonging to
  * integration auth with id [integrationAuthId] and store it along with [accessExpiresAt]
  * @param {Object} obj
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} obj.accessToken - access token
  * @param {Date} obj.accessExpiresAt - expiration date of access token
  */
-const setIntegrationAuthAccessHelper = async ({
-    integrationAuthId,
-    accessId,
-    accessToken,
-    accessExpiresAt
+export const setIntegrationAuthAccessHelper = async ({
+  integrationAuthId,
+  accessId,
+  accessToken,
+  accessExpiresAt,
 }: {
-    integrationAuthId: string;
-    accessId: string | null;
-    accessToken: string;
-    accessExpiresAt: Date | undefined;
+  integrationAuthId: string;
+  accessId: string | null;
+  accessToken: string;
+  accessExpiresAt: Date | undefined;
 }) => {
-    let integrationAuth;
-    try {
-        integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-        
-        if (!integrationAuth) throw new Error('Failed to find integration auth');
-        
-        const encryptedAccessTokenObj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace,
-            plaintext: accessToken
-        });
-        
-        let encryptedAccessIdObj;
-        if (accessId) {
-            encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace,
-                plaintext: accessId
-            }); 
-        }
-        
-        integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            _id: integrationAuthId
-        }, {
-            accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
-            accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
-            accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
-            accessCiphertext: encryptedAccessTokenObj.ciphertext,
-            accessIV: encryptedAccessTokenObj.iv,
-            accessTag: encryptedAccessTokenObj.tag,
-            accessExpiresAt,
-            algorithm: ALGORITHM_AES_256_GCM,
-            keyEncoding: ENCODING_SCHEME_UTF8
-        }, {
-            new: true
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to save integration auth access token');
-    }
-    
-    return integrationAuth;
-}
+  let integrationAuth = await IntegrationAuth.findById(integrationAuthId);
 
-export {
-    handleOAuthExchangeHelper,
-    syncIntegrationsHelper,
-    getIntegrationAuthRefreshHelper,
-    getIntegrationAuthAccessHelper,
-    setIntegrationAuthRefreshHelper,
-    setIntegrationAuthAccessHelper
-}
+  if (!integrationAuth) throw new Error("Failed to find integration auth");
+
+  const encryptedAccessTokenObj = await BotService.encryptSymmetric({
+    workspaceId: integrationAuth.workspace,
+    plaintext: accessToken,
+  });
+
+  let encryptedAccessIdObj;
+  if (accessId) {
+    encryptedAccessIdObj = await BotService.encryptSymmetric({
+      workspaceId: integrationAuth.workspace,
+      plaintext: accessId,
+    });
+  }
+
+  integrationAuth = await IntegrationAuth.findOneAndUpdate(
+    {
+      _id: integrationAuthId,
+    },
+    {
+      accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
+      accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
+      accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
+      accessCiphertext: encryptedAccessTokenObj.ciphertext,
+      accessIV: encryptedAccessTokenObj.iv,
+      accessTag: encryptedAccessTokenObj.tag,
+      accessExpiresAt,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8,
+    },
+    {
+      new: true,
+    }
+  );
+
+  return integrationAuth;
+};

backend/src/helpers/key.ts

@@ -1,4 +1,4 @@
-import { Key, IKey } from '../models';
+import { IKey, Key } from "../models";
 
 interface Key {
 	encryptedKey: string;
@@ -17,10 +17,10 @@ interface Key {
  * @param {String} obj.keys.nonce - nonce for encryption
  * @param {String} obj.keys.userId - id of receiver user
  */
-const pushKeys = async ({
+export const pushKeys = async ({
 	userId,
 	workspaceId,
-	keys
+	keys,
 }: {
 	userId: string;
 	workspaceId: string;
@@ -31,9 +31,9 @@ const pushKeys = async ({
     (
       await Key.find(
         {
-          workspace: workspaceId
+          workspace: workspaceId,
         },
-        'receiver'
+        "receiver"
       )
     ).map((k: IKey) => k.receiver.toString())
   );
@@ -47,9 +47,7 @@ const pushKeys = async ({
       nonce: k.nonce,
       sender: userId,
       receiver: k.userId,
-      workspace: workspaceId
+      workspace: workspaceId,
     }))
   );
-};
-
-export { pushKeys };
+};

backend/src/helpers/membership.ts

@@ -1,7 +1,6 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { Membership, Key } from '../models';
-import { MembershipNotFoundError, BadRequestError } from '../utils/errors';
+import { Types } from "mongoose";
+import { Key, Membership } from "../models";
+import { BadRequestError, MembershipNotFoundError } from "../utils/errors";
 
 /**
  * Validate that user with id [userId] is a member of workspace with id [workspaceId]
@@ -11,30 +10,30 @@ import { MembershipNotFoundError, BadRequestError } from '../utils/errors';
  * @param {String} obj.workspaceId - id of workspace
  * @returns {Membership} membership - membership of user with id [userId] for workspace with id [workspaceId]
  */
-const validateMembership = async ({
-  userId,
-  workspaceId,
-  acceptedRoles,
+export const validateMembership = async ({
+	userId,
+	workspaceId,
+	acceptedRoles,
 }: {
   userId: Types.ObjectId | string;
   workspaceId: Types.ObjectId | string;
-  acceptedRoles?: Array<'admin' | 'member'>;
+  acceptedRoles?: Array<"admin" | "member">;
 }) => {
   const membership = await Membership.findOne({
     user: userId,
     workspace: workspaceId,
-  }).populate('workspace');
+  }).populate("workspace");
 
   if (!membership) {
     throw MembershipNotFoundError({
-      message: 'Failed to find workspace membership',
+      message: "Failed to find workspace membership",
     });
   }
 
   if (acceptedRoles) {
     if (!acceptedRoles.includes(membership.role)) {
       throw BadRequestError({
-        message: 'Failed authorization for membership role',
+        message: "Failed authorization for membership role",
       });
     }
   }
@@ -47,16 +46,8 @@ const validateMembership = async ({
  * @param {Object} queryObj - query object
  * @return {Object} membership - membership
  */
-const findMembership = async (queryObj: any) => {
-  let membership;
-  try {
-    membership = await Membership.findOne(queryObj);
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to find membership');
-  }
-
+export const findMembership = async (queryObj: any) => {
+	const membership = await Membership.findOne(queryObj);
   return membership;
 };
 
@@ -68,40 +59,33 @@ const findMembership = async (queryObj: any) => {
  * @param {String} obj.workspaceId - id of workspace.
  * @param {String[]} obj.roles - roles of users.
  */
-const addMemberships = async ({
-  userIds,
-  workspaceId,
-  roles,
+export const addMemberships = async ({
+	userIds,
+	workspaceId,
+	roles,
 }: {
   userIds: string[];
   workspaceId: string;
   roles: string[];
 }): Promise<void> => {
-  try {
-    const operations = userIds.map((userId, idx) => {
-      return {
-        updateOne: {
-          filter: {
-            user: userId,
-            workspace: workspaceId,
-            role: roles[idx],
-          },
-          update: {
-            user: userId,
-            workspace: workspaceId,
-            role: roles[idx],
-          },
-          upsert: true,
+  const operations = userIds.map((userId, idx) => {
+    return {
+      updateOne: {
+        filter: {
+          user: userId,
+          workspace: workspaceId,
+          role: roles[idx],
         },
-      };
-    });
-
-    await Membership.bulkWrite(operations as any);
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to add users to workspace');
-  }
+        update: {
+          user: userId,
+          workspace: workspaceId,
+          role: roles[idx],
+        },
+        upsert: true,
+      },
+    };
+  });
+  await Membership.bulkWrite(operations as any);
 };
 
 /**
@@ -109,28 +93,19 @@ const addMemberships = async ({
  * @param {Object} obj
  * @param {String} obj.membershipId - id of membership to delete
  */
-const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
-  let deletedMembership;
-  try {
-    deletedMembership = await Membership.findOneAndDelete({
-      _id: membershipId,
-    });
+export const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
+	const deletedMembership = await Membership.findOneAndDelete({
+    _id: membershipId,
+  });
 
-    // delete keys associated with the membership
-    if (deletedMembership?.user) {
-      // case: membership had a registered user
-      await Key.deleteMany({
-        receiver: deletedMembership.user,
-        workspace: deletedMembership.workspace,
-      });
-    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to delete membership');
+  // delete keys associated with the membership
+  if (deletedMembership?.user) {
+    // case: membership had a registered user
+    await Key.deleteMany({
+      receiver: deletedMembership.user,
+      workspace: deletedMembership.workspace,
+    });
   }
 
-  return deletedMembership;
+	return deletedMembership;
 };
-
-export { validateMembership, addMemberships, findMembership, deleteMembership };