update rate limits

bugfix(docs): remove duplicate api key header from API reference docu…

.github/values.yaml

@@ -6,7 +6,7 @@ frontend:
     secrets.infisical.com/auto-reload: "true"
   replicaCount: 2
   image:
-    repository: infisical/frontend
+    repository: infisical/staging_deployment_frontend
     tag: "latest"
     pullPolicy: Always
   kubeSecretRef: managed-secret-frontend
@@ -25,7 +25,7 @@ backend:
     secrets.infisical.com/auto-reload: "true"
   replicaCount: 2
   image:
-    repository: infisical/backend
+    repository: infisical/staging_deployment_backend
     tag: "latest"
     pullPolicy: Always
   kubeSecretRef: managed-backend-secret

.github/workflows/build-docker-image-to-prod.yml

@@ -0,0 +1,118 @@
+name: Release production images (frontend, backend)
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"
+
+jobs:
+  backend-image:
+    name: Build backend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          load: true
+          context: backend
+          tags: infisical/backend:test
+      - name: ⏻ Spawn backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      - name: 🧪 Test backend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-backend-test
+      - name: ⏻ Shut down backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: backend
+          tags: |
+            infisical/backend:${{ steps.commit.outputs.short }}
+            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+
+  frontend-image:
+    name: Build frontend image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build frontend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          load: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          project: 64mmf0n610
+          context: frontend
+          tags: infisical/frontend:test
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+      - name: ⏻ Spawn frontend container
+        run: |
+          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+      - name: 🧪 Test frontend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-frontend-test
+      - name: ⏻ Shut down frontend container
+        run: |
+          docker stop infisical-frontend-test
+      - name: 🏗️ Build frontend and push
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          push: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          context: frontend
+          tags: |
+            infisical/frontend:${{ steps.commit.outputs.short }}
+            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}

.github/workflows/build-staging-img.yml

@@ -1,17 +1,11 @@
 name: Build, Publish and Deploy to Gamma
-on:
-  push:
-    tags:
-      - "infisical/v*.*.*"
+on: [workflow_dispatch]
 
 jobs:
   backend-image:
     name: Build backend image
     runs-on: ubuntu-latest
     steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - name: 📦 Install dependencies to test all dependencies
@@ -57,18 +51,14 @@ jobs:
           push: true
           context: backend
           tags: |
-            infisical/backend:${{ steps.commit.outputs.short }}
-            infisical/backend:latest
-            infisical/backend:${{ steps.extract_version.outputs.version }}
+            infisical/staging_deployment_backend:${{ steps.commit.outputs.short }}
+            infisical/staging_deployment_backend:latest
           platforms: linux/amd64,linux/arm64
 
   frontend-image:
     name: Build frontend image
     runs-on: ubuntu-latest
     steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - name: Save commit hashes for tag
@@ -90,12 +80,12 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           project: 64mmf0n610
           context: frontend
-          tags: infisical/frontend:test
+          tags: infisical/staging_deployment_frontend:test
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
       - name: ⏻ Spawn frontend container
         run: |
-          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+          docker run -d --rm --name infisical-frontend-test infisical/staging_deployment_frontend:test
       - name: 🧪 Test frontend image
         run: |
           ./.github/resources/healthcheck.sh infisical-frontend-test
@@ -110,9 +100,8 @@ jobs:
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
           context: frontend
           tags: |
-            infisical/frontend:${{ steps.commit.outputs.short }}
-            infisical/frontend:latest
-            infisical/frontend:${{ steps.extract_version.outputs.version }}
+            infisical/staging_deployment_frontend:${{ steps.commit.outputs.short }}
+            infisical/staging_deployment_frontend:latest
           platforms: linux/amd64,linux/arm64
           build-args: |
             POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
@@ -146,7 +135,7 @@ jobs:
       - name: Download helm values to file and upgrade gamma deploy
         run: |
           wget https://raw.githubusercontent.com/Infisical/infisical/main/.github/values.yaml
-          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --recreate-pods
+          helm upgrade infisical infisical-helm-charts/infisical  --values values.yaml --wait
           if [[ $(helm status infisical) == *"FAILED"* ]]; then
             echo "Helm upgrade failed"
             exit 1

Dockerfile.standalone-infisical

@@ -25,6 +25,8 @@ ARG POSTHOG_HOST
 ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
 
 # Build
 RUN npm run build
@@ -42,6 +44,9 @@ VOLUME /app/.next/cache/images
 ARG POSTHOG_API_KEY
 ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
   BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+ARG INTERCOM_ID
+ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
+  BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
 
 COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
 COPY --from=frontend-builder /app/public ./public

README.md

@@ -25,7 +25,7 @@
     <img src="https://img.shields.io/github/commit-activity/m/infisical/infisical" alt="git commit activity" />
   </a>
   <a href="https://cloudsmith.io/~infisical/repos/">
-    <img src="https://img.shields.io/badge/Downloads-240.2k-orange" alt="Cloudsmith downloads" />
+    <img src="https://img.shields.io/badge/Downloads-305.8k-orange" alt="Cloudsmith downloads" />
   </a>
   <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">
     <img src="https://img.shields.io/badge/chat-on%20Slack-blueviolet" alt="Slack community channel" />
@@ -127,7 +127,7 @@ Whether it's big or small, we love contributions. Check out our guide to see how
 
 Not sure where to get started? You can:
 
--   [Book a free, non-pressure pairing sessions with one of our teammates](mailto:tony@infisical.com?subject=Pairing%20session&body=I'd%20like%20to%20do%20a%20pairing%20session!)!
+-   [Book a free, non-pressure pairing session / code walkthrough with one of our teammates](https://cal.com/tony-infisical/30-min-meeting-contributing)!
 -   Join our <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1wehzfnzn-1aMo5JcGENJiNAC2SD8Jlg">Slack</a>, and ask us any questions there.
 
 ## Resources

backend/package.json

@@ -20,6 +20,7 @@
     "crypto-js": "^4.1.1",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
+    "express-async-errors": "^3.1.1",
     "express-rate-limit": "^6.7.0",
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
@@ -31,15 +32,14 @@
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",
     "mongoose": "^6.10.5",
-    "node-cache": "^5.1.2",
     "nanoid": "^3.3.6",
+    "node-cache": "^5.1.2",
     "nodemailer": "^6.8.0",
     "passport": "^0.6.0",
     "passport-google-oauth20": "^2.0.0",
     "posthog-node": "^2.6.0",
     "query-string": "^7.1.3",
     "rate-limit-mongo": "^2.3.2",
-    "request-ip": "^3.3.0",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
     "swagger-autogen": "^2.22.0",
@@ -58,7 +58,7 @@
     "start": "node build/index.js",
     "dev": "nodemon",
     "swagger-autogen": "node ./swagger/index.ts",
-    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
     "lint-staged": "lint-staged",

backend/src/controllers/v1/authController.ts

@@ -1,19 +1,28 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
+import fs from 'fs';
+import path from 'path';
 import jwt from 'jsonwebtoken';
 import * as bigintConversion from 'bigint-conversion';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
-import { User, LoginSRPDetail } from '../../models';
+import { 
+  User, 
+  LoginSRPDetail,
+  TokenVersion
+} from '../../models';
 import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
 import { checkUserDevice } from '../../helpers/user';
 import {
   ACTION_LOGIN,
-  ACTION_LOGOUT
+  ACTION_LOGOUT,
+  AUTH_MODE_JWT
 } from '../../variables';
-import { BadRequestError } from '../../utils/errors';
+import { 
+  BadRequestError,
+  UnauthorizedRequestError
+} from '../../utils/errors';
 import { EELogService } from '../../ee/services';
-import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+import { getChannelFromUserAgent } from '../../utils/posthog';
 import {
   getJwtRefreshSecret,
   getJwtAuthLifetime,
@@ -24,6 +33,7 @@ import {
 declare module 'jsonwebtoken' {
   export interface UserIDJwtPayload extends jwt.JwtPayload {
     userId: string;
+    refreshVersion?: number;
   }
 }
 
@@ -34,47 +44,39 @@ declare module 'jsonwebtoken' {
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-  try {
-    const {
-      email,
-      clientPublicKey
-    }: { email: string; clientPublicKey: string } = req.body;
+  const {
+    email,
+    clientPublicKey
+  }: { email: string; clientPublicKey: string } = req.body;
 
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
+  const user = await User.findOne({
+    email
+  }).select('+salt +verifier');
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error('Failed to find user');
 
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier
-      },
-      async () => {
-        // generate server-side public key
-        const serverPublicKey = server.getPublicKey();
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier
+    },
+    async () => {
+      // generate server-side public key
+      const serverPublicKey = server.getPublicKey();
 
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false })
+      await LoginSRPDetail.findOneAndReplace({ email: email }, {
+        email: email,
+        clientPublicKey: clientPublicKey,
+        serverBInt: bigintConversion.bigintToBuf(server.bInt),
+      }, { upsert: true, returnNewDocument: false })
 
-        return res.status(200).send({
-          serverPublicKey,
-          salt: user.salt
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
+      return res.status(200).send({
+        serverPublicKey,
+        salt: user.salt
+      });
+    }
+  );
 };
 
 /**
@@ -85,84 +87,80 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-  try {
-    const { email, clientProof } = req.body;
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
+  const { email, clientProof } = req.body;
+  const user = await User.findOne({
+    email
+  }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error('Failed to find user');
 
-    const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: email })
 
-    if (!loginSRPDetailFromDB) {
-      return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-    }
+  if (!loginSRPDetailFromDB) {
+    return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+  }
 
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier,
-        b: loginSRPDetailFromDB.serverBInt
-      },
-      async () => {
-        server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+      b: loginSRPDetailFromDB.serverBInt
+    },
+    async () => {
+      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
-        // compare server and client shared keys
-        if (server.checkClientProof(clientProof)) {
-          // issue tokens
+      // compare server and client shared keys
+      if (server.checkClientProof(clientProof)) {
+        // issue tokens
 
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
-          });
+        await checkUserDevice({
+          user,
+          ip: req.realIP,
+          userAgent: req.headers['user-agent'] ?? ''
+        });
 
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+        const tokens = await issueAuthTokens({ 
+          userId: user._id,
+          ip: req.realIP,
+          userAgent: req.headers['user-agent'] ?? ''
+        });
 
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: await getHttpsEnabled()
-          });
+        // store (refresh) token in httpOnly cookie
+        res.cookie('jid', tokens.refreshToken, {
+          httpOnly: true,
+          path: '/',
+          sameSite: 'strict',
+          secure: await getHttpsEnabled()
+        });
 
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
-          });
+        const loginAction = await EELogService.createAction({
+          name: ACTION_LOGIN,
+          userId: user._id
+        });
 
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
-          });
+        loginAction && await EELogService.createLog({
+          userId: user._id,
+          actions: [loginAction],
+          channel: getChannelFromUserAgent(req.headers['user-agent']),
+          ipAddress: req.realIP
+        });
 
-          // return (access) token in response
-          return res.status(200).send({
-            token: tokens.token,
-            publicKey: user.publicKey,
-            encryptedPrivateKey: user.encryptedPrivateKey,
-            iv: user.iv,
-            tag: user.tag
-          });
-        }
-
-        return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
+        // return (access) token in response
+        return res.status(200).send({
+          token: tokens.token,
+          publicKey: user.publicKey,
+          encryptedPrivateKey: user.encryptedPrivateKey,
+          iv: user.iv,
+          tag: user.tag
         });
       }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
+
+      return res.status(400).send({
+        message: 'Failed to authenticate. Try again?'
+      });
+    }
+  );
 };
 
 /**
@@ -172,44 +170,59 @@ export const login2 = async (req: Request, res: Response) => {
  * @returns
  */
 export const logout = async (req: Request, res: Response) => {
-  try {
-    await clearTokens({
-      userId: req.user._id.toString()
-    });
-
-    // clear httpOnly cookie
-    res.cookie('jid', '', {
-      httpOnly: true,
-      path: '/',
-      sameSite: 'strict',
-      secure: (await getHttpsEnabled()) as boolean
-    });
-
-    const logoutAction = await EELogService.createAction({
-      name: ACTION_LOGOUT,
-      userId: req.user._id
-    });
-
-    logoutAction && await EELogService.createLog({
-      userId: req.user._id,
-      actions: [logoutAction],
-      channel: getChannelFromUserAgent(req.headers['user-agent']),
-      ipAddress: req.ip
-    });
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to logout'
-    });
+  if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User && req.authData.tokenVersionId) {
+    await clearTokens(req.authData.tokenVersionId)
   }
 
+  // clear httpOnly cookie
+  res.cookie('jid', '', {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'strict',
+    secure: (await getHttpsEnabled()) as boolean
+  });
+
+  const logoutAction = await EELogService.createAction({
+    name: ACTION_LOGOUT,
+    userId: req.user._id
+  });
+
+  logoutAction && await EELogService.createLog({
+    userId: req.user._id,
+    actions: [logoutAction],
+    channel: getChannelFromUserAgent(req.headers['user-agent']),
+    ipAddress: req.realIP
+  });
+
   return res.status(200).send({
     message: 'Successfully logged out.'
   });
 };
 
+export const getCommonPasswords = async (req: Request, res: Response) => {
+  const commonPasswords = fs.readFileSync(
+		path.resolve(__dirname, '../../data/' + 'common_passwords.txt'),
+		'utf8'
+	).split('\n');	
+
+  return res.status(200).send(commonPasswords);
+}
+
+export const revokeAllSessions = async (req: Request, res: Response) => {
+  await TokenVersion.updateMany({
+    user: req.user._id
+  }, {
+    $inc: {
+      refreshVersion: 1,
+      accessVersion: 1
+    }
+  });
+
+  return res.status(200).send({
+    message: 'Successfully revoked all sessions.'
+  }); 
+}
+
 /**
  * Return user is authenticated
  * @param req
@@ -223,49 +236,53 @@ export const checkAuth = async (req: Request, res: Response) => {
 }
 
 /**
- * Return new token by redeeming refresh token
+ * Return new JWT access token by first validating the refresh token
  * @param req
  * @param res
  * @returns
  */
 export const getNewToken = async (req: Request, res: Response) => {
-  try {
-    const refreshToken = req.cookies.jid;
+  const refreshToken = req.cookies.jid;
 
-    if (!refreshToken) {
-      throw new Error('Failed to find token in request cookies');
-    }
-
-    const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, await getJwtRefreshSecret())
-    );
-
-    const user = await User.findOne({
-      _id: decodedToken.userId
-    }).select('+publicKey');
-
-    if (!user) throw new Error('Failed to authenticate unfound user');
-    if (!user?.publicKey)
-      throw new Error('Failed to authenticate not fully set up account');
-
-    const token = createToken({
-      payload: {
-        userId: decodedToken.userId
-      },
-      expiresIn: await getJwtAuthLifetime(),
-      secret: await getJwtAuthSecret()
-    });
-
-    return res.status(200).send({
-      token
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Invalid request'
-    });
+  if (!refreshToken) {
+    throw new Error('Failed to find refresh token in request cookies');
   }
+
+  const decodedToken = <jwt.UserIDJwtPayload>(
+    jwt.verify(refreshToken, await getJwtRefreshSecret())
+  );
+
+  const user = await User.findOne({
+    _id: decodedToken.userId
+  }).select('+publicKey +refreshVersion +accessVersion');
+
+  if (!user) throw new Error('Failed to authenticate unfound user');
+  if (!user?.publicKey)
+    throw new Error('Failed to authenticate not fully set up account');
+  
+  const tokenVersion = await TokenVersion.findById(decodedToken.tokenVersionId);
+
+  if (!tokenVersion) throw UnauthorizedRequestError({
+    message: 'Failed to validate refresh token'
+  });
+
+  if (decodedToken.refreshVersion !== tokenVersion.refreshVersion) throw BadRequestError({
+    message: 'Failed to validate refresh token'
+  });
+
+  const token = createToken({
+    payload: {
+      userId: decodedToken.userId,
+      tokenVersionId: tokenVersion._id.toString(),
+      accessVersion: tokenVersion.refreshVersion
+    },
+    expiresIn: await getJwtAuthLifetime(),
+    secret: await getJwtAuthSecret()
+  });
+
+  return res.status(200).send({
+    token
+  });
 };
 
 export const handleAuthProviderCallback = (req: Request, res: Response) => {

backend/src/controllers/v1/botController.ts

@@ -1,6 +1,5 @@
 import { Request, Response } from 'express';
 import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
 import { Bot, BotKey } from '../../models';
 import { createBot } from '../../helpers/bot';
 
@@ -17,33 +16,24 @@ interface BotKey {
  * @returns
  */
 export const getBotByWorkspaceId = async (req: Request, res: Response) => {
-    let bot;
-	try {
-        const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-        bot = await Bot.findOne({
-            workspace: workspaceId
-        });
-        
-        if (!bot) {
-            // case: bot doesn't exist for workspace with id [workspaceId]
-            // -> create a new bot and return it
-            bot = await createBot({
-                name: 'Infisical Bot',
-                workspaceId: new Types.ObjectId(workspaceId)
-            });
-        }
-	} catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-        return res.status(400).send({
-			message: 'Failed to get bot for workspace'
-		});
-	}
+  let bot = await Bot.findOne({
+      workspace: workspaceId
+  });
+  
+  if (!bot) {
+      // case: bot doesn't exist for workspace with id [workspaceId]
+      // -> create a new bot and return it
+      bot = await createBot({
+          name: 'Infisical Bot',
+          workspaceId: new Types.ObjectId(workspaceId)
+      });
+  }
     
-    return res.status(200).send({
-        bot
-    });
+  return res.status(200).send({
+      bot
+  });
 };
 
 /**
@@ -53,54 +43,44 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
  * @returns
  */
 export const setBotActiveState = async (req: Request, res: Response) => {
-    let bot;
-	try {
-        const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
-        
-        if (isActive) {
-            // bot state set to active -> share workspace key with bot
-            if (!botKey?.encryptedKey || !botKey?.nonce) {
-                return res.status(400).send({
-                    message: 'Failed to set bot state to active - missing bot key'
-                });
-            }
-            
-            await BotKey.findOneAndUpdate({
-                workspace: req.bot.workspace
-            }, {
-                encryptedKey: botKey.encryptedKey,
-                nonce: botKey.nonce,
-                sender: req.user._id,
-                bot: req.bot._id,
-                workspace: req.bot.workspace
-            }, {
-                upsert: true,
-                new: true
-            });
-        } else {
-            // case: bot state set to inactive -> delete bot's workspace key
-            await BotKey.deleteOne({
-                bot: req.bot._id
+    const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
+    
+    if (isActive) {
+        // bot state set to active -> share workspace key with bot
+        if (!botKey?.encryptedKey || !botKey?.nonce) {
+            return res.status(400).send({
+                message: 'Failed to set bot state to active - missing bot key'
             });
         }
-
-        bot = await Bot.findOneAndUpdate({
-            _id: req.bot._id
+        
+        await BotKey.findOneAndUpdate({
+            workspace: req.bot.workspace
         }, {
-            isActive
+            encryptedKey: botKey.encryptedKey,
+            nonce: botKey.nonce,
+            sender: req.user._id,
+            bot: req.bot._id,
+            workspace: req.bot.workspace
         }, {
+            upsert: true,
             new: true
         });
-        
-        if (!bot) throw new Error('Failed to update bot active state');
-        
-	} catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-        return res.status(400).send({
-			message: 'Failed to update bot active state'
-		});
-	}
+    } else {
+        // case: bot state set to inactive -> delete bot's workspace key
+        await BotKey.deleteOne({
+            bot: req.bot._id
+        });
+    }
+
+    let bot = await Bot.findOneAndUpdate({
+        _id: req.bot._id
+    }, {
+        isActive
+    }, {
+        new: true
+    });
+    
+    if (!bot) throw new Error('Failed to update bot active state');
     
     return res.status(200).send({
         bot

backend/src/controllers/v1/integrationAuthController.ts

@@ -1,6 +1,5 @@
 import { Request, Response } from 'express';
 import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
 import {
 	IntegrationAuth,
 	Bot 
@@ -22,22 +21,13 @@ import { standardRequest } from '../../config/request';
  * Return integration authorization with id [integrationAuthId]
  */
 export const getIntegrationAuth = async (req: Request, res: Response) => {
-	let integrationAuth;
-	try {
-		const { integrationAuthId } = req.params;
-		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-		
-		if (!integrationAuth) return res.status(400).send({
-			message: 'Failed to find integration authorization'
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get integration authorization'
-		});	
-	}
-	
+  const { integrationAuthId } = req.params;
+  const integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+  
+  if (!integrationAuth) return res.status(400).send({
+    message: 'Failed to find integration authorization'
+  });
+
 	return res.status(200).send({
 		integrationAuth
 	});
@@ -61,33 +51,25 @@ export const oAuthExchange = async (
 	req: Request,
 	res: Response
 ) => {
-	try {
-		const { workspaceId, code, integration } = req.body;
-		if (!INTEGRATION_SET.has(integration))
-			throw new Error('Failed to validate integration');
-		
-		const environments = req.membership.workspace?.environments || [];
-		if(environments.length === 0){
-			throw new Error("Failed to get environments")
-		}
-	
-		const integrationAuth = await IntegrationService.handleOAuthExchange({
-			workspaceId,
-			integration,
-			code,
-			environment: environments[0].slug,
-		});
-		
-		return res.status(200).send({
-			integrationAuth
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get OAuth2 code-token exchange'
-		});
-	}
+  const { workspaceId, code, integration } = req.body;
+  if (!INTEGRATION_SET.has(integration))
+    throw new Error('Failed to validate integration');
+  
+  const environments = req.membership.workspace?.environments || [];
+  if(environments.length === 0){
+    throw new Error("Failed to get environments")
+  }
+
+  const integrationAuth = await IntegrationService.handleOAuthExchange({
+    workspaceId,
+    integration,
+    code,
+    environment: environments[0].slug,
+  });
+  
+  return res.status(200).send({
+    integrationAuth
+  });
 };
 
 /**
@@ -104,55 +86,53 @@ export const saveIntegrationAccessToken = async (
 	// TODO: check if access token is valid for each integration
 
 	let integrationAuth;
-	try {
-		const {
-			workspaceId,
-			accessId,
-			accessToken,
-			integration
-		}: {
-			workspaceId: string;
-			accessId: string | null;
-			accessToken: string;
-			integration: string;
-		} = req.body;
+	const {
+		workspaceId,
+		accessId,
+		accessToken,
+		url,
+		namespace,
+		integration
+	}: {
+		workspaceId: string;
+		accessId: string | null;
+		accessToken: string;
+		url: string;
+		namespace: string;
+		integration: string;
+	} = req.body;
 
-		const bot = await Bot.findOne({
-            workspace: new Types.ObjectId(workspaceId),
-            isActive: true
-        });
-        
-        if (!bot) throw new Error('Bot must be enabled to save integration access token');
+	const bot = await Bot.findOne({
+		workspace: new Types.ObjectId(workspaceId),
+		isActive: true
+	});
+      
+    if (!bot) throw new Error('Bot must be enabled to save integration access token');
 
-		integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            workspace: new Types.ObjectId(workspaceId),
-            integration
-        }, {
-            workspace: new Types.ObjectId(workspaceId),
-            integration,
-			algorithm: ALGORITHM_AES_256_GCM,
-			keyEncoding: ENCODING_SCHEME_UTF8
-		}, {
-            new: true,
-            upsert: true
-        });
-		
-		// encrypt and save integration access details
-		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
-			integrationAuthId: integrationAuth._id.toString(),
-			accessId,
-			accessToken,
-			accessExpiresAt: undefined
-		});
-		
-		if (!integrationAuth) throw new Error('Failed to save integration access token');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to save access token for integration'
-		});
-	}
+  	integrationAuth = await IntegrationAuth.findOneAndUpdate({
+		workspace: new Types.ObjectId(workspaceId),
+		integration
+    }, {
+		workspace: new Types.ObjectId(workspaceId),
+		integration,
+		url,
+		namespace,
+		algorithm: ALGORITHM_AES_256_GCM,
+		keyEncoding: ENCODING_SCHEME_UTF8
+  	}, {
+		new: true,
+		upsert: true
+    });
+  
+	// encrypt and save integration access details
+	integrationAuth = await IntegrationService.setIntegrationAuthAccess({
+		integrationAuthId: integrationAuth._id.toString(),
+		accessId,
+		accessToken,
+		accessExpiresAt: undefined
+	});
+  
+  	if (!integrationAuth) throw new Error('Failed to save integration access token');
 	
 	return res.status(200).send({
 		integrationAuth
@@ -166,22 +146,13 @@ export const saveIntegrationAccessToken = async (
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-	let apps;
-	try {
-		const teamId = req.query.teamId as string;
-		
-		apps = await getApps({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken,
-			...teamId && { teamId }
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get integration authorization applications",
-		});
-	}
+  const teamId = req.query.teamId as string;
+  
+  const apps = await getApps({
+    integrationAuth: req.integrationAuth,
+    accessToken: req.accessToken,
+    ...teamId && { teamId }
+  });
 
 	return res.status(200).send({
 		apps
@@ -402,19 +373,10 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
  * @returns
  */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-  let integrationAuth;
-  try {
-    integrationAuth = await revokeAccess({
-      integrationAuth: req.integrationAuth,
-      accessToken: req.accessToken,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration authorization",
-    });
-  }
+  const integrationAuth = await revokeAccess({
+    integrationAuth: req.integrationAuth,
+    accessToken: req.accessToken,
+  });
 
   return res.status(200).send({
     integrationAuth,

backend/src/controllers/v1/integrationController.ts

@@ -1,6 +1,5 @@
 import { Request, Response } from 'express';
 import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
 import { 
 	Integration
 } from '../../models';
@@ -14,61 +13,50 @@ import { eventPushSecrets } from '../../events';
  * @returns
  */
 export const createIntegration = async (req: Request, res: Response) => {
-	let integration;
+  const {
+    integrationAuthId,
+    app,
+    appId,
+    isActive,
+    sourceEnvironment,
+    targetEnvironment,
+    targetEnvironmentId,
+    targetService,
+    targetServiceId,
+    owner,
+    path,
+    region
+  } = req.body;
+  
+  // TODO: validate [sourceEnvironment] and [targetEnvironment]
 
-	try {
-		const {
-			integrationAuthId,
-			app,
-			appId,
-			isActive,
-			sourceEnvironment,
-			targetEnvironment,
-			targetEnvironmentId,
-      targetService,
-      targetServiceId,
-			owner,
-			path,
-			region
-		} = req.body;
-		
-		// TODO: validate [sourceEnvironment] and [targetEnvironment]
-
-		// initialize new integration after saving integration access token
-    integration = await new Integration({
-      workspace: req.integrationAuth.workspace._id,
-      environment: sourceEnvironment,
-      isActive,
-      app,
-			appId,
-			targetEnvironment,
-			targetEnvironmentId,
-      targetService,
-      targetServiceId,
-			owner,
-			path,
-			region,
-      integration: req.integrationAuth.integration,
-      integrationAuth: new Types.ObjectId(integrationAuthId)
-    }).save();
-		
-		if (integration) {
-			// trigger event - push secrets
-			EventService.handleEvent({
-				event: eventPushSecrets({
-					workspaceId: integration.workspace,
-          environment: sourceEnvironment
-				})
-			});
-		}
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create integration'
-		});
-	}
+  // initialize new integration after saving integration access token
+  const integration = await new Integration({
+    workspace: req.integrationAuth.workspace._id,
+    environment: sourceEnvironment,
+    isActive,
+    app,
+    appId,
+    targetEnvironment,
+    targetEnvironmentId,
+    targetService,
+    targetServiceId,
+    owner,
+    path,
+    region,
+    integration: req.integrationAuth.integration,
+    integrationAuth: new Types.ObjectId(integrationAuthId)
+  }).save();
+  
+  if (integration) {
+    // trigger event - push secrets
+    EventService.handleEvent({
+      event: eventPushSecrets({
+        workspaceId: integration.workspace,
+        environment: sourceEnvironment
+      })
+    });
+  }
 
   return res.status(200).send({
     integration,
@@ -82,52 +70,43 @@ export const createIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const updateIntegration = async (req: Request, res: Response) => {
-  let integration;
 
   // TODO: add integration-specific validation to ensure that each
   // integration has the correct fields populated in [Integration]
 
-  try {
-    const {
+  const {
+    environment,
+    isActive,
+    app,
+    appId,
+    targetEnvironment,
+    owner, // github-specific integration param
+  } = req.body;
+
+  const integration = await Integration.findOneAndUpdate(
+    {
+      _id: req.integration._id,
+    },
+    {
       environment,
       isActive,
       app,
       appId,
       targetEnvironment,
-      owner, // github-specific integration param
-    } = req.body;
-
-    integration = await Integration.findOneAndUpdate(
-      {
-        _id: req.integration._id,
-      },
-      {
-        environment,
-        isActive,
-        app,
-        appId,
-        targetEnvironment,
-        owner,
-      },
-      {
-        new: true,
-      }
-    );
-
-    if (integration) {
-      // trigger event - push secrets
-      EventService.handleEvent({
-        event: eventPushSecrets({
-          workspaceId: integration.workspace,
-          environment
-        }),
-      });
+      owner,
+    },
+    {
+      new: true,
     }
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to update integration",
+  );
+
+  if (integration) {
+    // trigger event - push secrets
+    EventService.handleEvent({
+      event: eventPushSecrets({
+        workspaceId: integration.workspace,
+        environment
+      }),
     });
   }
 
@@ -144,22 +123,13 @@ export const updateIntegration = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegration = async (req: Request, res: Response) => {
-  let integration;
-  try {
-    const { integrationId } = req.params;
+  const { integrationId } = req.params;
 
-    integration = await Integration.findOneAndDelete({
-      _id: integrationId,
-    });
+  const integration = await Integration.findOneAndDelete({
+    _id: integrationId,
+  });
 
-    if (!integration) throw new Error("Failed to find integration");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete integration",
-    });
-  }
+  if (!integration) throw new Error("Failed to find integration");
 
   return res.status(200).send({
     integration,

backend/src/controllers/v1/keyController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { Key } from '../../models';
 import { findMembership } from '../../helpers/membership';
 
@@ -11,34 +10,26 @@ import { findMembership } from '../../helpers/membership';
  * @returns
  */
 export const uploadKey = async (req: Request, res: Response) => {
-	try {
-		const { workspaceId } = req.params;
-		const { key } = req.body;
+  const { workspaceId } = req.params;
+  const { key } = req.body;
 
-		// validate membership of receiver
-		const receiverMembership = await findMembership({
-			user: key.userId,
-			workspace: workspaceId
-		});
+  // validate membership of receiver
+  const receiverMembership = await findMembership({
+    user: key.userId,
+    workspace: workspaceId
+  });
 
-		if (!receiverMembership) {
-			throw new Error('Failed receiver membership validation for workspace');
-		}
+  if (!receiverMembership) {
+    throw new Error('Failed receiver membership validation for workspace');
+  }
 
-		await new Key({
-			encryptedKey: key.encryptedKey,
-			nonce: key.nonce,
-			sender: req.user._id,
-			receiver: key.userId,
-			workspace: workspaceId
-		}).save();
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload key to workspace'
-		});
-	}
+  await new Key({
+    encryptedKey: key.encryptedKey,
+    nonce: key.nonce,
+    sender: req.user._id,
+    receiver: key.userId,
+    workspace: workspaceId
+  }).save();
 
 	return res.status(200).send({
 		message: 'Successfully uploaded key to workspace'
@@ -52,25 +43,16 @@ export const uploadKey = async (req: Request, res: Response) => {
  * @returns
  */
 export const getLatestKey = async (req: Request, res: Response) => {
-	let latestKey;
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-		// get latest key
-		latestKey = await Key.find({
-			workspace: workspaceId,
-			receiver: req.user._id
-		})
-			.sort({ createdAt: -1 })
-			.limit(1)
-			.populate('sender', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get latest key'
-		});
-	}
+  // get latest key
+  const latestKey = await Key.find({
+    workspace: workspaceId,
+    receiver: req.user._id
+  })
+    .sort({ createdAt: -1 })
+    .limit(1)
+    .populate('sender', '+publicKey');
 
 	const resObj: any = {};
 
@@ -79,4 +61,4 @@ export const getLatestKey = async (req: Request, res: Response) => {
 	}
 
 	return res.status(200).send(resObj);
-};
+};

backend/src/controllers/v1/membershipController.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
 import { Membership, MembershipOrg, User, Key } from '../../models';
 import {
@@ -16,25 +15,16 @@ import { getSiteURL } from '../../config';
  * @returns
  */
 export const validateMembership = async (req: Request, res: Response) => {
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
+  // validate membership
+  const membership = await findMembership({
+    user: req.user._id,
+    workspace: workspaceId
+  });
 
-		// validate membership
-		const membership = await findMembership({
-			user: req.user._id,
-			workspace: workspaceId
-		});
-
-		if (!membership) {
-			throw new Error('Failed to validate membership');
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed workspace connection check'
-		});
-	}
+  if (!membership) {
+    throw new Error('Failed to validate membership');
+  }
 
 	return res.status(200).send({
 		message: 'Workspace membership confirmed'
@@ -48,48 +38,39 @@ export const validateMembership = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteMembership = async (req: Request, res: Response) => {
-	let deletedMembership;
-	try {
-		const { membershipId } = req.params;
+  const { membershipId } = req.params;
 
-		// check if membership to delete exists
-		const membershipToDelete = await Membership.findOne({
-			_id: membershipId
-		}).populate('user');
+  // check if membership to delete exists
+  const membershipToDelete = await Membership.findOne({
+    _id: membershipId
+  }).populate('user');
 
-		if (!membershipToDelete) {
-			throw new Error(
-				"Failed to delete workspace membership that doesn't exist"
-			);
-		}
+  if (!membershipToDelete) {
+    throw new Error(
+      "Failed to delete workspace membership that doesn't exist"
+    );
+  }
 
-		// check if user is a member and admin of the workspace
-		// whose membership we wish to delete
-		const membership = await Membership.findOne({
-			user: req.user._id,
-			workspace: membershipToDelete.workspace
-		});
+  // check if user is a member and admin of the workspace
+  // whose membership we wish to delete
+  const membership = await Membership.findOne({
+    user: req.user._id,
+    workspace: membershipToDelete.workspace
+  });
 
-		if (!membership) {
-			throw new Error('Failed to validate workspace membership');
-		}
+  if (!membership) {
+    throw new Error('Failed to validate workspace membership');
+  }
 
-		if (membership.role !== ADMIN) {
-			// user is not an admin member of the workspace
-			throw new Error('Insufficient role for deleting workspace membership');
-		}
+  if (membership.role !== ADMIN) {
+    // user is not an admin member of the workspace
+    throw new Error('Insufficient role for deleting workspace membership');
+  }
 
-		// delete workspace membership
-		deletedMembership = await deleteMember({
-			membershipId: membershipToDelete._id.toString()
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete membership'
-		});
-	}
+  // delete workspace membership
+  const deletedMembership = await deleteMember({
+    membershipId: membershipToDelete._id.toString()
+  });
 
 	return res.status(200).send({
 		deletedMembership
@@ -103,49 +84,40 @@ export const deleteMembership = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeMembershipRole = async (req: Request, res: Response) => {
-	let membershipToChangeRole;
-	try {
-		const { membershipId } = req.params;
-		const { role } = req.body;
+  const { membershipId } = req.params;
+  const { role } = req.body;
 
-		if (![ADMIN, MEMBER].includes(role)) {
-			throw new Error('Failed to validate role');
-		}
+  if (![ADMIN, MEMBER].includes(role)) {
+    throw new Error('Failed to validate role');
+  }
 
-		// validate target membership
-		membershipToChangeRole = await findMembership({
-			_id: membershipId
-		});
+  // validate target membership
+  const membershipToChangeRole = await findMembership({
+    _id: membershipId
+  });
 
-		if (!membershipToChangeRole) {
-			throw new Error('Failed to find membership to change role');
-		}
+  if (!membershipToChangeRole) {
+    throw new Error('Failed to find membership to change role');
+  }
 
-		// check if user is a member and admin of target membership's
-		// workspace
-		const membership = await findMembership({
-			user: req.user._id,
-			workspace: membershipToChangeRole.workspace
-		});
+  // check if user is a member and admin of target membership's
+  // workspace
+  const membership = await findMembership({
+    user: req.user._id,
+    workspace: membershipToChangeRole.workspace
+  });
 
-		if (!membership) {
-			throw new Error('Failed to validate membership');
-		}
+  if (!membership) {
+    throw new Error('Failed to validate membership');
+  }
 
-		if (membership.role !== ADMIN) {
-			// user is not an admin member of the workspace
-			throw new Error('Insufficient role for changing member roles');
-		}
+  if (membership.role !== ADMIN) {
+    // user is not an admin member of the workspace
+    throw new Error('Insufficient role for changing member roles');
+  }
 
-		membershipToChangeRole.role = role;
-		await membershipToChangeRole.save();
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change membership role'
-		});
-	}
+  membershipToChangeRole.role = role;
+  await membershipToChangeRole.save();
 
 	return res.status(200).send({
 		membership: membershipToChangeRole
@@ -159,75 +131,66 @@ export const changeMembershipRole = async (req: Request, res: Response) => {
  * @returns
  */
 export const inviteUserToWorkspace = async (req: Request, res: Response) => {
-	let invitee, latestKey;
-	try {
-		const { workspaceId } = req.params;
-		const { email }: { email: string } = req.body;
+  const { workspaceId } = req.params;
+  const { email }: { email: string } = req.body;
 
-		invitee = await User.findOne({
-			email
-		}).select('+publicKey');
+  const invitee = await User.findOne({
+    email
+  }).select('+publicKey');
 
-		if (!invitee || !invitee?.publicKey)
-			throw new Error('Failed to validate invitee');
+  if (!invitee || !invitee?.publicKey)
+    throw new Error('Failed to validate invitee');
 
-		// validate invitee's workspace membership - ensure member isn't
-		// already a member of the workspace
-		const inviteeMembership = await Membership.findOne({
-			user: invitee._id,
-			workspace: workspaceId
-		});
+  // validate invitee's workspace membership - ensure member isn't
+  // already a member of the workspace
+  const inviteeMembership = await Membership.findOne({
+    user: invitee._id,
+    workspace: workspaceId
+  });
 
-		if (inviteeMembership)
-			throw new Error('Failed to add existing member of workspace');
+  if (inviteeMembership)
+    throw new Error('Failed to add existing member of workspace');
 
-		// validate invitee's organization membership - ensure that only
-		// (accepted) organization members can be added to the workspace
-		const membershipOrg = await MembershipOrg.findOne({
-			user: invitee._id,
-			organization: req.membership.workspace.organization,
-			status: ACCEPTED
-		});
+  // validate invitee's organization membership - ensure that only
+  // (accepted) organization members can be added to the workspace
+  const membershipOrg = await MembershipOrg.findOne({
+    user: invitee._id,
+    organization: req.membership.workspace.organization,
+    status: ACCEPTED
+  });
 
-		if (!membershipOrg)
-			throw new Error("Failed to validate invitee's organization membership");
+  if (!membershipOrg)
+    throw new Error("Failed to validate invitee's organization membership");
 
-		// get latest key
-		latestKey = await Key.findOne({
-			workspace: workspaceId,
-			receiver: req.user._id
-		})
-			.sort({ createdAt: -1 })
-			.populate('sender', '+publicKey');
+  // get latest key
+  const latestKey = await Key.findOne({
+    workspace: workspaceId,
+    receiver: req.user._id
+  })
+    .sort({ createdAt: -1 })
+    .populate('sender', '+publicKey');
 
-		// create new workspace membership
-		const m = await new Membership({
-			user: invitee._id,
-			workspace: workspaceId,
-			role: MEMBER
-		}).save();
+  // create new workspace membership
+  const m = await new Membership({
+    user: invitee._id,
+    workspace: workspaceId,
+    role: MEMBER
+  }).save();
 
-		await sendMail({
-			template: 'workspaceInvitation.handlebars',
-			subjectLine: 'Infisical workspace invitation',
-			recipients: [invitee.email],
-			substitutions: {
-				inviterFirstName: req.user.firstName,
-				inviterEmail: req.user.email,
-				workspaceName: req.membership.workspace.name,
-				callback_url: (await getSiteURL()) + '/login'
-			}
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to invite user to workspace'
-		});
-	}
+  await sendMail({
+    template: 'workspaceInvitation.handlebars',
+    subjectLine: 'Infisical workspace invitation',
+    recipients: [invitee.email],
+    substitutions: {
+      inviterFirstName: req.user.firstName,
+      inviterEmail: req.user.email,
+      workspaceName: req.membership.workspace.name,
+      callback_url: (await getSiteURL()) + '/login'
+    }
+  });
 
 	return res.status(200).send({
 		invitee,
 		latestKey
 	});
-};
+};

backend/src/controllers/v1/membershipOrgController.ts

@@ -1,14 +1,15 @@
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { MembershipOrg, Organization, User } from '../../models';
 import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
 import { createToken } from '../../helpers/auth';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 import { sendMail } from '../../helpers/nodemailer';
 import { TokenService } from '../../services';
+import { EELicenseService } from '../../ee/services';
 import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';
 import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+import { validateUserEmail } from '../../validation';
 
 /**
  * Delete organization membership with id [membershipOrgId] from organization
@@ -17,52 +18,43 @@ import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured
  * @returns
  */
 export const deleteMembershipOrg = async (req: Request, res: Response) => {
-	let membershipOrgToDelete;
-	try {
-		const { membershipOrgId } = req.params;
+  const { membershipOrgId } = req.params;
 
-		// check if organization membership to delete exists
-		membershipOrgToDelete = await MembershipOrg.findOne({
-			_id: membershipOrgId
-		}).populate('user');
+  // check if organization membership to delete exists
+  const membershipOrgToDelete = await MembershipOrg.findOne({
+    _id: membershipOrgId
+  }).populate('user');
 
-		if (!membershipOrgToDelete) {
-			throw new Error(
-				"Failed to delete organization membership that doesn't exist"
-			);
-		}
+  if (!membershipOrgToDelete) {
+    throw new Error(
+      "Failed to delete organization membership that doesn't exist"
+    );
+  }
 
-		// check if user is a member and admin of the organization
-		// whose membership we wish to delete
-		const membershipOrg = await MembershipOrg.findOne({
-			user: req.user._id,
-			organization: membershipOrgToDelete.organization
-		});
+  // check if user is a member and admin of the organization
+  // whose membership we wish to delete
+  const membershipOrg = await MembershipOrg.findOne({
+    user: req.user._id,
+    organization: membershipOrgToDelete.organization
+  });
 
-		if (!membershipOrg) {
-			throw new Error('Failed to validate organization membership');
-		}
+  if (!membershipOrg) {
+    throw new Error('Failed to validate organization membership');
+  }
 
-		if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
-			// user is not an admin member of the organization
-			throw new Error('Insufficient role for deleting organization membership');
-		}
+  if (membershipOrg.role !== OWNER && membershipOrg.role !== ADMIN) {
+    // user is not an admin member of the organization
+    throw new Error('Insufficient role for deleting organization membership');
+  }
 
-		// delete organization membership
-		const deletedMembershipOrg = await deleteMemberFromOrg({
-			membershipOrgId: membershipOrgToDelete._id.toString()
-		});
+  // delete organization membership
+  const deletedMembershipOrg = await deleteMemberFromOrg({
+    membershipOrgId: membershipOrgToDelete._id.toString()
+  });
 
-		await updateSubscriptionOrgQuantity({
-			organizationId: membershipOrg.organization.toString()
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization membership'
-		});
-	}
+  await updateSubscriptionOrgQuantity({
+    organizationId: membershipOrg.organization.toString()
+  });
 
 	return membershipOrgToDelete;
 };
@@ -78,14 +70,6 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// [membershipOrgId]
 
 	let membershipToChangeRole;
-	// try {
-	// } catch (err) {
-	// 	Sentry.setUser({ email: req.user.email });
-	// 	Sentry.captureException(err);
-	// 	return res.status(400).send({
-	// 		message: 'Failed to change organization membership role'
-	// 	});
-	// }
 
 	return res.status(200).send({
 		membershipOrg: membershipToChangeRole
@@ -101,106 +85,114 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
  */
 export const inviteUserToOrganization = async (req: Request, res: Response) => {
 	let invitee, inviteeMembershipOrg, completeInviteLink;
-	try {
-		const { organizationId, inviteeEmail } = req.body;
-		const host = req.headers.host;
-		const siteUrl = `${req.protocol}://${host}`;
+  const { organizationId, inviteeEmail } = req.body;
+  const host = req.headers.host;
+  const siteUrl = `${req.protocol}://${host}`;
 
-		// validate membership
-		const membershipOrg = await MembershipOrg.findOne({
-			user: req.user._id,
-			organization: organizationId
-		});
+  // validate membership
+  const membershipOrg = await MembershipOrg.findOne({
+    user: req.user._id,
+    organization: organizationId
+  });
 
-		if (!membershipOrg) {
-			throw new Error('Failed to validate organization membership');
-		}
+  if (!membershipOrg) {
+    throw new Error('Failed to validate organization membership');
+  }
+  
+  const plan = await EELicenseService.getPlan(organizationId);
+  
+  if (plan.memberLimit !== null) {
+    // case: limit imposed on number of members allowed
+    
+    if (plan.membersUsed >= plan.memberLimit) {
+      // case: number of members used exceeds the number of members allowed
+      return res.status(400).send({
+        message: 'Failed to invite member due to member limit reached. Upgrade plan to invite more members.'
+      });
+    }
+  }
 
-		invitee = await User.findOne({
-			email: inviteeEmail
-		}).select('+publicKey');
+  invitee = await User.findOne({
+    email: inviteeEmail
+  }).select('+publicKey');
 
-		if (invitee) {
-			// case: invitee is an existing user
+  if (invitee) {
+    // case: invitee is an existing user
 
-			inviteeMembershipOrg = await MembershipOrg.findOne({
-				user: invitee._id,
-				organization: organizationId
-			});
+    inviteeMembershipOrg = await MembershipOrg.findOne({
+      user: invitee._id,
+      organization: organizationId
+    });
 
-			if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
-				throw new Error(
-					'Failed to invite an existing member of the organization'
-				);
-			}
+    if (inviteeMembershipOrg && inviteeMembershipOrg.status === ACCEPTED) {
+      throw new Error(
+        'Failed to invite an existing member of the organization'
+      );
+    }
 
-			if (!inviteeMembershipOrg) {
-				
-				await new MembershipOrg({
-					user: invitee,
-					inviteEmail: inviteeEmail,
-					organization: organizationId,
-					role: MEMBER,
-					status: INVITED
-				}).save();
-			}
-		} else {
-			// check if invitee has been invited before
-			inviteeMembershipOrg = await MembershipOrg.findOne({
-				inviteEmail: inviteeEmail,
-				organization: organizationId
-			});
+    if (!inviteeMembershipOrg) {
+      
+      await new MembershipOrg({
+        user: invitee,
+        inviteEmail: inviteeEmail,
+        organization: organizationId,
+        role: MEMBER,
+        status: INVITED
+      }).save();
+    }
+  } else {
+    // check if invitee has been invited before
+    inviteeMembershipOrg = await MembershipOrg.findOne({
+      inviteEmail: inviteeEmail,
+      organization: organizationId
+    });
 
-			if (!inviteeMembershipOrg) {
-				// case: invitee has never been invited before
+    if (!inviteeMembershipOrg) {
+      // case: invitee has never been invited before
+      
+      // validate that email is not disposable
+      validateUserEmail(inviteeEmail);
 
-				await new MembershipOrg({
-					inviteEmail: inviteeEmail,
-					organization: organizationId,
-					role: MEMBER,
-					status: INVITED
-				}).save();
-			}
-		}
+      await new MembershipOrg({
+        inviteEmail: inviteeEmail,
+        organization: organizationId,
+        role: MEMBER,
+        status: INVITED
+      }).save();
+    }
+  }
 
-		const organization = await Organization.findOne({ _id: organizationId });
+  const organization = await Organization.findOne({ _id: organizationId });
 
-		if (organization) {
+  if (organization) {
 
-			const token = await TokenService.createToken({
-				type: TOKEN_EMAIL_ORG_INVITATION,
-				email: inviteeEmail,
-				organizationId: organization._id
-			});
+    const token = await TokenService.createToken({
+      type: TOKEN_EMAIL_ORG_INVITATION,
+      email: inviteeEmail,
+      organizationId: organization._id
+    });
 
-			await sendMail({
-				template: 'organizationInvitation.handlebars',
-				subjectLine: 'Infisical organization invitation',
-				recipients: [inviteeEmail],
-				substitutions: {
-					inviterFirstName: req.user.firstName,
-					inviterEmail: req.user.email,
-					organizationName: organization.name,
-					email: inviteeEmail,
-					organizationId: organization._id.toString(),
-					token,
-					callback_url: (await getSiteURL()) + '/signupinvite'
-				}
-			});
+    await sendMail({
+      template: 'organizationInvitation.handlebars',
+      subjectLine: 'Infisical organization invitation',
+      recipients: [inviteeEmail],
+      substitutions: {
+        inviterFirstName: req.user.firstName,
+        inviterEmail: req.user.email,
+        organizationName: organization.name,
+        email: inviteeEmail,
+        organizationId: organization._id.toString(),
+        token,
+        callback_url: (await getSiteURL()) + '/signupinvite'
+      }
+    });
 
-			if (!(await getSmtpConfigured())) {
-				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
-			}
-		}
+    if (!(await getSmtpConfigured())) {
+      completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
+    }
+  }
 
-		await updateSubscriptionOrgQuantity({ organizationId });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to send organization invite'
-		});
-	}
+  await updateSubscriptionOrgQuantity({ organizationId });
 
 	return res.status(200).send({
 		message: `Sent an invite link to ${req.body.inviteeEmail}`,
@@ -216,70 +208,62 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
-	let user, token;
-	try {
-		const {
-			email,
-			organizationId,
-			code
-		} = req.body;
+	let user;
+  const {
+    email,
+    organizationId,
+    code
+  } = req.body;
 
-		user = await User.findOne({ email }).select('+publicKey');
+  user = await User.findOne({ email }).select('+publicKey');
 
-		const membershipOrg = await MembershipOrg.findOne({
-			inviteEmail: email,
-			status: INVITED,
-			organization: new Types.ObjectId(organizationId)
-		});
+  const membershipOrg = await MembershipOrg.findOne({
+    inviteEmail: email,
+    status: INVITED,
+    organization: new Types.ObjectId(organizationId)
+  });
 
-		if (!membershipOrg)
-			throw new Error('Failed to find any invitations for email');
+  if (!membershipOrg)
+    throw new Error('Failed to find any invitations for email');
 
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_ORG_INVITATION,
-			email,
-			organizationId: membershipOrg.organization,
-			token: code
-		});
+  await TokenService.validateToken({
+    type: TOKEN_EMAIL_ORG_INVITATION,
+    email,
+    organizationId: membershipOrg.organization,
+    token: code
+  });
 
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			// membership can be approved and redirected to login/dashboard
-			membershipOrg.status = ACCEPTED;
-			await membershipOrg.save();
-			
-			await updateSubscriptionOrgQuantity({
-				organizationId
-			});
+  if (user && user?.publicKey) {
+    // case: user has already completed account
+    // membership can be approved and redirected to login/dashboard
+    membershipOrg.status = ACCEPTED;
+    await membershipOrg.save();
+    
+    await updateSubscriptionOrgQuantity({
+      organizationId
+    });
 
-			return res.status(200).send({
-				message: 'Successfully verified email',
-				user,
-			});
-		}
+    return res.status(200).send({
+      message: 'Successfully verified email',
+      user,
+    });
+  }
 
-		if (!user) {
-			// initialize user account
-			user = await new User({
-				email
-			}).save();
-		}
+  if (!user) {
+    // initialize user account
+    user = await new User({
+      email
+    }).save();
+  }
 
-		// generate temporary signup token
-		token = createToken({
-			payload: {
-				userId: user._id.toString()
-			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed email magic link verification for organization invitation'
-		});
-	}
+  // generate temporary signup token
+  const token = createToken({
+    payload: {
+      userId: user._id.toString()
+    },
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
+  });
 
 	return res.status(200).send({
 		message: 'Successfully verified email',

backend/src/controllers/v1/organizationController.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
 import Stripe from 'stripe';
 import {
@@ -15,21 +14,12 @@ import _ from 'lodash';
 import { getStripeSecretKey, getSiteURL } from '../../config';
 
 export const getOrganizations = async (req: Request, res: Response) => {
-	let organizations;
-	try {
-		organizations = (
-			await MembershipOrg.find({
-				user: req.user._id,
-				status: ACCEPTED
-			}).populate('organization')
-		).map((m) => m.organization);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organizations'
-		});
-	}
+  const organizations = (
+    await MembershipOrg.find({
+      user: req.user._id,
+      status: ACCEPTED
+    }).populate('organization')
+  ).map((m) => m.organization);
 
 	return res.status(200).send({
 		organizations
@@ -44,33 +34,24 @@ export const getOrganizations = async (req: Request, res: Response) => {
  * @returns
  */
 export const createOrganization = async (req: Request, res: Response) => {
-	let organization;
-	try {
-		const { organizationName } = req.body;
+  const { organizationName } = req.body;
 
-		if (organizationName.length < 1) {
-			throw new Error('Organization names must be at least 1-character long');
-		}
+  if (organizationName.length < 1) {
+    throw new Error('Organization names must be at least 1-character long');
+  }
 
-		// create organization and add user as member
-		organization = await create({
-			email: req.user.email,
-			name: organizationName
-		});
+  // create organization and add user as member
+  const organization = await create({
+    email: req.user.email,
+    name: organizationName
+  });
 
-		await addMembershipsOrg({
-			userIds: [req.user._id.toString()],
-			organizationId: organization._id.toString(),
-			roles: [OWNER],
-			statuses: [ACCEPTED]
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create organization'
-		});
-	}
+  await addMembershipsOrg({
+    userIds: [req.user._id.toString()],
+    organizationId: organization._id.toString(),
+    roles: [OWNER],
+    statuses: [ACCEPTED]
+  });
 
 	return res.status(200).send({
 		organization
@@ -84,17 +65,7 @@ export const createOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const getOrganization = async (req: Request, res: Response) => {
-	let organization;
-	try {
-		organization = req.organization
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to find organization'
-		});
-	}
-
+	const organization = req.organization
 	return res.status(200).send({
 		organization
 	});
@@ -107,20 +78,11 @@ export const getOrganization = async (req: Request, res: Response) => {
  * @returns
  */
 export const getOrganizationMembers = async (req: Request, res: Response) => {
-	let users;
-	try {
-		const { organizationId } = req.params;
+  const { organizationId } = req.params;
 
-		users = await MembershipOrg.find({
-			organization: organizationId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization members'
-		});
-	}
+  const users = await MembershipOrg.find({
+    organization: organizationId
+  }).populate('user', '+publicKey');
 
 	return res.status(200).send({
 		users
@@ -137,35 +99,26 @@ export const getOrganizationWorkspaces = async (
 	req: Request,
 	res: Response
 ) => {
-	let workspaces;
-	try {
-		const { organizationId } = req.params;
+  const { organizationId } = req.params;
 
-		const workspacesSet = new Set(
-			(
-				await Workspace.find(
-					{
-						organization: organizationId
-					},
-					'_id'
-				)
-			).map((w) => w._id.toString())
-		);
+  const workspacesSet = new Set(
+    (
+      await Workspace.find(
+        {
+          organization: organizationId
+        },
+        '_id'
+      )
+    ).map((w) => w._id.toString())
+  );
 
-		workspaces = (
-			await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
-		)
-			.filter((m) => workspacesSet.has(m.workspace._id.toString()))
-			.map((m) => m.workspace);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get my workspaces'
-		});
-	}
+  const workspaces = (
+    await Membership.find({
+      user: req.user._id
+    }).populate('workspace')
+  )
+    .filter((m) => workspacesSet.has(m.workspace._id.toString()))
+    .map((m) => m.workspace);
 
 	return res.status(200).send({
 		workspaces
@@ -179,29 +132,20 @@ export const getOrganizationWorkspaces = async (
  * @returns
  */
 export const changeOrganizationName = async (req: Request, res: Response) => {
-	let organization;
-	try {
-		const { organizationId } = req.params;
-		const { name } = req.body;
+  const { organizationId } = req.params;
+  const { name } = req.body;
 
-		organization = await Organization.findOneAndUpdate(
-			{
-				_id: organizationId
-			},
-			{
-				name
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change organization name'
-		});
-	}
+  const organization = await Organization.findOneAndUpdate(
+    {
+      _id: organizationId
+    },
+    {
+      name
+    },
+    {
+      new: true
+    }
+  );
 
 	return res.status(200).send({
 		message: 'Successfully changed organization name',
@@ -219,20 +163,11 @@ export const getOrganizationIncidentContacts = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactsOrg;
-	try {
-		const { organizationId } = req.params;
+  const { organizationId } = req.params;
 
-		incidentContactsOrg = await IncidentContactOrg.find({
-			organization: organizationId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization incident contacts'
-		});
-	}
+  const incidentContactsOrg = await IncidentContactOrg.find({
+    organization: organizationId
+  });
 
 	return res.status(200).send({
 		incidentContactsOrg
@@ -249,23 +184,14 @@ export const addOrganizationIncidentContact = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactOrg;
-	try {
-		const { organizationId } = req.params;
-		const { email } = req.body;
+  const { organizationId } = req.params;
+  const { email } = req.body;
 
-		incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
-			{ email, organization: organizationId },
-			{ email, organization: organizationId },
-			{ upsert: true, new: true }
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to add incident contact for organization'
-		});
-	}
+  const incidentContactOrg = await IncidentContactOrg.findOneAndUpdate(
+    { email, organization: organizationId },
+    { email, organization: organizationId },
+    { upsert: true, new: true }
+  );
 
 	return res.status(200).send({
 		incidentContactOrg
@@ -282,22 +208,13 @@ export const deleteOrganizationIncidentContact = async (
 	req: Request,
 	res: Response
 ) => {
-	let incidentContactOrg;
-	try {
-		const { organizationId } = req.params;
-		const { email } = req.body;
+  const { organizationId } = req.params;
+  const { email } = req.body;
 
-		incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
-			email,
-			organization: organizationId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization incident contact'
-		});
-	}
+  const incidentContactOrg = await IncidentContactOrg.findOneAndDelete({
+    email,
+    organization: organizationId
+  });
 
 	return res.status(200).send({
 		message: 'Successfully deleted organization incident contact',
@@ -317,41 +234,33 @@ export const createOrganizationPortalSession = async (
 	res: Response
 ) => {
 	let session;
-	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
+  const stripe = new Stripe(await getStripeSecretKey(), {
+    apiVersion: '2022-08-01'
+  });
 
-		// check if there is a payment method on file
-		const paymentMethods = await stripe.paymentMethods.list({
-			customer: req.organization.customerId,
-			type: 'card'
-		});
-		
-		if (paymentMethods.data.length < 1) {
-			// case: no payment method on file
-			session = await stripe.checkout.sessions.create({
-				customer: req.organization.customerId,
-				mode: 'setup',
-				payment_method_types: ['card'],
-				success_url: (await getSiteURL()) + '/dashboard',
-				cancel_url: (await getSiteURL()) + '/dashboard'
-			});
-		} else {
-			session = await stripe.billingPortal.sessions.create({
-				customer: req.organization.customerId,
-				return_url: (await getSiteURL()) + '/dashboard'
-			});
-		}
+  // check if there is a payment method on file
+  const paymentMethods = await stripe.paymentMethods.list({
+    customer: req.organization.customerId,
+    type: 'card'
+  });
+  
+  if (paymentMethods.data.length < 1) {
+    // case: no payment method on file
+    session = await stripe.checkout.sessions.create({
+      customer: req.organization.customerId,
+      mode: 'setup',
+      payment_method_types: ['card'],
+      success_url: (await getSiteURL()) + '/dashboard',
+      cancel_url: (await getSiteURL()) + '/dashboard'
+    });
+  } else {
+    session = await stripe.billingPortal.sessions.create({
+      customer: req.organization.customerId,
+      return_url: (await getSiteURL()) + '/dashboard'
+    });
+  }
 
-		return res.status(200).send({ url: session.url });
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to redirect to organization billing portal'
-		});
-	}
+  return res.status(200).send({ url: session.url });
 };
 
 /**
@@ -364,22 +273,13 @@ export const getOrganizationSubscriptions = async (
 	req: Request,
 	res: Response
 ) => {
-	let subscriptions;
-	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
-		
-		subscriptions = await stripe.subscriptions.list({
-			customer: req.organization.customerId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization subscriptions'
-		});
-	}
+  const stripe = new Stripe(await getStripeSecretKey(), {
+    apiVersion: '2022-08-01'
+  });
+  
+  const subscriptions = await stripe.subscriptions.list({
+    customer: req.organization.customerId
+  });
 
 	return res.status(200).send({
 		subscriptions
@@ -425,4 +325,4 @@ export const getOrganizationMembersAndTheirWorkspaces = async (
 	});
 
 	return res.json(userToWorkspaceIds);
-};
+};

backend/src/controllers/v1/passwordController.ts

@@ -1,15 +1,25 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
 import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
-import { createToken } from '../../helpers/auth';
-import { sendMail } from '../../helpers/nodemailer';
+import {
+	createToken,
+	sendMail,
+	clearTokens
+} from '../../helpers';
 import { TokenService } from '../../services';
-import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
+import { 
+	TOKEN_EMAIL_PASSWORD_RESET,
+	AUTH_MODE_JWT
+} from '../../variables';
 import { BadRequestError } from '../../utils/errors';
-import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../config';
+import { 
+	getSiteURL, 
+	getJwtSignupLifetime, 
+	getJwtSignupSecret,
+	getHttpsEnabled
+} from '../../config';
 
 /**
  * Password reset step 1: Send email verification link to email [email] 
@@ -20,43 +30,35 @@ import { getSiteURL, getJwtSignupLifetime, getJwtSignupSecret } from '../../conf
  */
 export const emailPasswordReset = async (req: Request, res: Response) => {
 	let email: string;
-	try {
-		email = req.body.email;
+  email = req.body.email;
 
-		const user = await User.findOne({ email }).select('+publicKey');
-		if (!user || !user?.publicKey) {
-			// case: user has already completed account
+  const user = await User.findOne({ email }).select('+publicKey');
+  if (!user || !user?.publicKey) {
+    // case: user has already completed account
 
-			return res.status(403).send({
-				error: 'Failed to send email verification for password reset'
-			});
-		}
-		
-		const token = await TokenService.createToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email
-		});
-		
-		await sendMail({
-			template: 'passwordReset.handlebars',
-			subjectLine: 'Infisical password reset',
-			recipients: [email],
-			substitutions: {
-				email,
-				token,
-				callback_url: (await getSiteURL()) + '/password-reset'
-			}
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to send email for account recovery'
-		});
-	}
+    return res.status(200).send({
+      message:"If an account exists with this email, a password reset link has been sent" 
+    });
+  }
+  
+  const token = await TokenService.createToken({
+    type: TOKEN_EMAIL_PASSWORD_RESET,
+    email
+  });
+  
+  await sendMail({
+    template: 'passwordReset.handlebars',
+    subjectLine: 'Infisical password reset',
+    recipients: [email],
+    substitutions: {
+      email,
+      token,
+      callback_url: (await getSiteURL()) + '/password-reset'
+    }
+  });
 
 	return res.status(200).send({
-		message: `Sent an email for account recovery to ${email}`
+		message:"If an account exists with this email, a password reset link has been sent" 
 	});
 }
 
@@ -67,40 +69,31 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
  * @returns 
  */
 export const emailPasswordResetVerify = async (req: Request, res: Response) => {
-	let user, token;
-	try {
-		const { email, code } = req.body;
+  const { email, code } = req.body;
 
-		user = await User.findOne({ email }).select('+publicKey');
-		if (!user || !user?.publicKey) {
-			// case: user doesn't exist with email [email] or 
-			// hasn't even completed their account
-			return res.status(403).send({
-				error: 'Failed email verification for password reset'
-			});
-		}
-		
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_PASSWORD_RESET,
-			email,
-			token: code
-		});
+  const user = await User.findOne({ email }).select('+publicKey');
+  if (!user || !user?.publicKey) {
+    // case: user doesn't exist with email [email] or 
+    // hasn't even completed their account
+    return res.status(403).send({
+      error: 'Failed email verification for password reset'
+    });
+  }
+  
+  await TokenService.validateToken({
+    type: TOKEN_EMAIL_PASSWORD_RESET,
+    email,
+    token: code
+  });
 
-		// generate temporary password-reset token
-		token = createToken({
-			payload: {
-				userId: user._id.toString()
-			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed email verification for password reset'
-		});
-	}
+  // generate temporary password-reset token
+  const token = createToken({
+    payload: {
+      userId: user._id.toString()
+    },
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
+  });
 
 	return res.status(200).send({
 		message: 'Successfully verified email',
@@ -117,44 +110,38 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
  */
 export const srp1 = async (req: Request, res: Response) => {
 	// return salt, serverPublicKey as part of first step of SRP protocol
-	try {
-		const { clientPublicKey } = req.body;
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
+	
+  const { clientPublicKey } = req.body;
+  const user = await User.findOne({
+    email: req.user.email
+  }).select('+salt +verifier');
 
-		if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error('Failed to find user');
 
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier
-			},
-			async () => {
-				// generate server-side public key
-				const serverPublicKey = server.getPublicKey();
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier
+    },
+    async () => {
+      // generate server-side public key
+      const serverPublicKey = server.getPublicKey();
 
-				await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
-					email: req.user.email,
-					clientPublicKey: clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt),
-				}, { upsert: true, returnNewDocument: false })
+      await LoginSRPDetail.findOneAndReplace({ email: req.user.email }, {
+        email: req.user.email,
+        clientPublicKey: clientPublicKey,
+        serverBInt: bigintConversion.bigintToBuf(server.bInt),
+      }, { upsert: true, returnNewDocument: false })
+
+      return res.status(200).send({
+        serverPublicKey,
+        salt: user.salt
+      });
+    }
+  );
+}
 
-				return res.status(200).send({
-					serverPublicKey,
-					salt: user.salt
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to start change password process'
-		});
-	}
-};
 
 /**
  * Change account SRP authentication information for user
@@ -165,80 +152,85 @@ export const srp1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const changePassword = async (req: Request, res: Response) => {
-	try {
-		const { 
-			clientProof, 
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
+  const { 
+    clientProof, 
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier
+  } = req.body;
 
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
+  const user = await User.findOne({
+    email: req.user.email
+  }).select('+salt +verifier');
 
-		if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error('Failed to find user');
 
-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
 
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
+  if (!loginSRPDetailFromDB) {
+    return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+  }
 
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
-			},
-			async () => {
-				server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+      b: loginSRPDetailFromDB.serverBInt
+    },
+    async () => {
+      server.setClientPublicKey(loginSRPDetailFromDB.clientPublicKey);
 
-				// compare server and client shared keys
-				if (server.checkClientProof(clientProof)) {
-					// change password
+      // compare server and client shared keys
+      if (server.checkClientProof(clientProof)) {
+        // change password
 
-					await User.findByIdAndUpdate(
-						req.user._id.toString(),
-						{
-							encryptionVersion: 2,
-							protectedKey,
-							protectedKeyIV,
-							protectedKeyTag,
-							encryptedPrivateKey,
-							iv: encryptedPrivateKeyIV,
-							tag: encryptedPrivateKeyTag,
-							salt,
-							verifier
-						},
-						{
-							new: true
-						}
-					);
+        await User.findByIdAndUpdate(
+          req.user._id.toString(),
+          {
+            encryptionVersion: 2,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+            encryptedPrivateKey,
+            iv: encryptedPrivateKeyIV,
+            tag: encryptedPrivateKeyTag,
+            salt,
+            verifier
+          },
+          {
+            new: true
+          }
+        );
+      
+        if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User && req.authData.tokenVersionId) {
+          await clearTokens(req.authData.tokenVersionId)
+        }
 
-					return res.status(200).send({
-						message: 'Successfully changed password'
-					});
-				}
+        // clear httpOnly cookie
+        
+        res.cookie('jid', '', {
+          httpOnly: true,
+          path: '/',
+          sameSite: 'strict',
+          secure: (await getHttpsEnabled()) as boolean
+        });
 
-				return res.status(400).send({
-					error: 'Failed to change password. Try again?'
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to change password. Try again?'
-		});
-	}
+        return res.status(200).send({
+          message: 'Successfully changed password'
+        });
+      }
+
+      return res.status(400).send({
+        error: 'Failed to change password. Try again?'
+      });
+    }
+  );
 };
 
 /**
@@ -252,69 +244,61 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
 	// requires verifying [clientProof] as part of second step of SRP protocol
 	// as initiated in /srp1
 
-	try {
-		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
-			req.body;
-		const user = await User.findOne({
-			email: req.user.email
-		}).select('+salt +verifier');
+  const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
+    req.body;
+  const user = await User.findOne({
+    email: req.user.email
+  }).select('+salt +verifier');
 
-		if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error('Failed to find user');
 
-		const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
+  const loginSRPDetailFromDB = await LoginSRPDetail.findOneAndDelete({ email: req.user.email })
 
-		if (!loginSRPDetailFromDB) {
-			return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
-		}
+  if (!loginSRPDetailFromDB) {
+    return BadRequestError(Error("It looks like some details from the first login are not found. Please try login one again"))
+  }
 
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier,
-				b: loginSRPDetailFromDB.serverBInt
-			},
-			async () => {
-				server.setClientPublicKey(
-					loginSRPDetailFromDB.clientPublicKey
-				);
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+      b: loginSRPDetailFromDB.serverBInt
+    },
+    async () => {
+      server.setClientPublicKey(
+        loginSRPDetailFromDB.clientPublicKey
+      );
 
-				// compare server and client shared keys
-				if (server.checkClientProof(clientProof)) {
-					// create new or replace backup private key
+      // compare server and client shared keys
+      if (server.checkClientProof(clientProof)) {
+        // create new or replace backup private key
 
-					const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
-						{ user: req.user._id },
-						{
-							user: req.user._id,
-							encryptedPrivateKey,
-							iv,
-							tag,
-							salt,
-							verifier
-						},
-						{ upsert: true, new: true }
-					).select('+user, encryptedPrivateKey');
+        const backupPrivateKey = await BackupPrivateKey.findOneAndUpdate(
+          { user: req.user._id },
+          {
+            user: req.user._id,
+            encryptedPrivateKey,
+            iv,
+            tag,
+            salt,
+            verifier
+          },
+          { upsert: true, new: true }
+        ).select('+user, encryptedPrivateKey');
 
-					// issue tokens
-					return res.status(200).send({
-						message: 'Successfully updated backup private key',
-						backupPrivateKey
-					});
-				}
+        // issue tokens
+        return res.status(200).send({
+          message: 'Successfully updated backup private key',
+          backupPrivateKey
+        });
+      }
 
-				return res.status(400).send({
-					message: 'Failed to update backup private key'
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update backup private key'
-		});
-	}
+      return res.status(400).send({
+        message: 'Failed to update backup private key'
+      });
+    }
+  );
 };
 
 /**
@@ -324,20 +308,11 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
  * @returns 
  */
 export const getBackupPrivateKey = async (req: Request, res: Response) => {
-	let backupPrivateKey;
-	try {
-		backupPrivateKey = await BackupPrivateKey.findOne({
-			user: req.user._id
-		}).select('+encryptedPrivateKey +iv +tag');
+  const backupPrivateKey = await BackupPrivateKey.findOne({
+    user: req.user._id
+  }).select('+encryptedPrivateKey +iv +tag');
 
-		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get backup private key'
-		});
-	}
+  if (!backupPrivateKey) throw new Error('Failed to find backup private key');
 
 	return res.status(200).send({
 		backupPrivateKey
@@ -345,44 +320,36 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 }
 
 export const resetPassword = async (req: Request, res: Response) => {
-	try {
-		const {
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier,
-		} = req.body;
+  const {
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier,
+  } = req.body;
 
-		await User.findByIdAndUpdate(
-			req.user._id.toString(),
-			{
-				encryptionVersion: 2,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,	
-				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
-				salt,
-				verifier
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get backup private key'
-		});
-	}
+  await User.findByIdAndUpdate(
+    req.user._id.toString(),
+    {
+      encryptionVersion: 2,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,	
+      encryptedPrivateKey,
+      iv: encryptedPrivateKeyIV,
+      tag: encryptedPrivateKeyTag,
+      salt,
+      verifier
+    },
+    {
+      new: true
+    }
+  );
 
 	return res.status(200).send({
 		message: 'Successfully reset password'
 	});
-}
+}

backend/src/controllers/v1/secretController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { Key, Secret } from '../../models';
 import {
@@ -37,66 +36,56 @@ interface PushSecret {
  */
 export const pushSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
+  const postHogClient = await TelemetryService.getPostHogClient();
+  let { secrets }: { secrets: PushSecret[] } = req.body;
+  const { keys, environment, channel } = req.body;
+  const { workspaceId } = req.params;
 
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		let { secrets }: { secrets: PushSecret[] } = req.body;
-		const { keys, environment, channel } = req.body;
-		const { workspaceId } = req.params;
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error('Failed to validate environment');
+  }
 
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+  // sanitize secrets
+  secrets = secrets.filter(
+    (s: PushSecret) => s.ciphertextKey !== '' && s.ciphertextValue !== ''
+  );
 
-		// sanitize secrets
-		secrets = secrets.filter(
-			(s: PushSecret) => s.ciphertextKey !== '' && s.ciphertextValue !== ''
-		);
+  await push({
+    userId: req.user._id,
+    workspaceId,
+    environment,
+    secrets
+  });
 
-		await push({
-			userId: req.user._id,
-			workspaceId,
-			environment,
-			secrets
-		});
+  await pushKeys({
+    userId: req.user._id,
+    workspaceId,
+    keys
+  });
+  
+  
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets pushed',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : 'cli'
+      }
+    });
+  }
 
-		await pushKeys({
-			userId: req.user._id,
-			workspaceId,
-			keys
-		});
-		
-		
-		if (postHogClient) {
-			postHogClient.capture({
-				event: 'secrets pushed',
-				distinctId: req.user.email,
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-
-		// trigger event - push secrets
-		EventService.handleEvent({
-			event: eventPushSecrets({
-				workspaceId: new Types.ObjectId(workspaceId),
-				environment
-			})
-		});
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload workspace secrets'
-		});
-	}
+  // trigger event - push secrets
+  EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment
+    })
+  });
 
 	return res.status(200).send({
 		message: 'Successfully uploaded workspace secrets'
@@ -113,55 +102,48 @@ export const pushSecrets = async (req: Request, res: Response) => {
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		const environment: string = req.query.environment as string;
-		const channel: string = req.query.channel as string;
-		const { workspaceId } = req.params;
 
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+	const postHogClient = await TelemetryService.getPostHogClient();
+	const environment: string = req.query.environment as string;
+	const channel: string = req.query.channel as string;
+	const { workspaceId } = req.params;
 
-		secrets = await pull({
-			userId: req.user._id.toString(),
-			workspaceId,
-			environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
+	// validate environment
+	const workspaceEnvs = req.membership.workspace.environments;
+	if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		throw new Error('Failed to validate environment');
+	}
 
-		key = await Key.findOne({
-			workspace: workspaceId,
-			receiver: req.user._id
-		})
-			.sort({ createdAt: -1 })
-			.populate('sender', '+publicKey');
-		
-		if (channel !== 'cli') {
-			secrets = reformatPullSecrets({ secrets });
-		}
+	secrets = await pull({
+		userId: req.user._id.toString(),
+		workspaceId,
+		environment,
+		channel: channel ? channel : 'cli',
+		ipAddress: req.realIP
+	});
 
-		if (postHogClient) {
-			// capture secrets pushed event in production
-			postHogClient.capture({
-				distinctId: req.user.email,
-				event: 'secrets pulled',
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
+	key = await Key.findOne({
+		workspace: workspaceId,
+		receiver: req.user._id
+	})
+		.sort({ createdAt: -1 })
+		.populate('sender', '+publicKey');
+	
+	if (channel !== 'cli') {
+		secrets = reformatPullSecrets({ secrets });
+	}
+
+	if (postHogClient) {
+		// capture secrets pushed event in production
+		postHogClient.capture({
+			distinctId: req.user.email,
+			event: 'secrets pulled',
+			properties: {
+				numberOfSecrets: secrets.length,
+				environment,
+				workspaceId,
+				channel: channel ? channel : 'cli'
+			}
 		});
 	}
 
@@ -182,54 +164,47 @@ export const pullSecrets = async (req: Request, res: Response) => {
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		const environment: string = req.query.environment as string;
-		const channel: string = req.query.channel as string;
-		const { workspaceId } = req.params;
 
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+	const postHogClient = await TelemetryService.getPostHogClient();
+	const environment: string = req.query.environment as string;
+	const channel: string = req.query.channel as string;
+	const { workspaceId } = req.params;
 
-		secrets = await pull({
-			userId: req.serviceToken.user._id.toString(),
-			workspaceId,
-			environment,
-			channel: 'cli',
-			ipAddress: req.ip
-		});
+	// validate environment
+	const workspaceEnvs = req.membership.workspace.environments;
+	if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+		throw new Error('Failed to validate environment');
+	}
 
-		key = {
-			encryptedKey: req.serviceToken.encryptedKey,
-			nonce: req.serviceToken.nonce,
-			sender: {
-				publicKey: req.serviceToken.publicKey
-			},
-			receiver: req.serviceToken.user,
-			workspace: req.serviceToken.workspace
-		};
+	secrets = await pull({
+		userId: req.serviceToken.user._id.toString(),
+		workspaceId,
+		environment,
+		channel: 'cli',
+		ipAddress: req.realIP
+	});
 
-		if (postHogClient) {
-			// capture secrets pulled event in production
-			postHogClient.capture({
-				distinctId: req.serviceToken.user.email,
-				event: 'secrets pulled',
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.serviceToken.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
+	key = {
+		encryptedKey: req.serviceToken.encryptedKey,
+		nonce: req.serviceToken.nonce,
+		sender: {
+			publicKey: req.serviceToken.publicKey
+		},
+		receiver: req.serviceToken.user,
+		workspace: req.serviceToken.workspace
+	};
+
+	if (postHogClient) {
+		// capture secrets pulled event in production
+		postHogClient.capture({
+			distinctId: req.serviceToken.user.email,
+			event: 'secrets pulled',
+			properties: {
+				numberOfSecrets: secrets.length,
+				environment,
+				workspaceId,
+				channel: channel ? channel : 'cli'
+			}
 		});
 	}
 
@@ -237,4 +212,4 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		secrets: reformatPullSecrets({ secrets }),
 		key
 	});
-};
+};

backend/src/controllers/v1/signupController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { User } from '../../models';
 import {
 	sendEmailVerification,
@@ -8,6 +7,7 @@ import {
 import { createToken } from '../../helpers/auth';
 import { BadRequestError } from '../../utils/errors';
 import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpConfigured } from '../../config';
+import { validateUserEmail } from '../../validation';
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -18,28 +18,23 @@ import { getInviteOnlySignup, getJwtSignupLifetime, getJwtSignupSecret, getSmtpC
  */
 export const beginEmailSignup = async (req: Request, res: Response) => {
 	let email: string;
-	try {
-		email = req.body.email;
+  email = req.body.email;
+  
+  // validate that email is not disposable
+  validateUserEmail(email);
 
-		const user = await User.findOne({ email }).select('+publicKey');
-		if (user && user?.publicKey) {
-			// case: user has already completed account
+  const user = await User.findOne({ email }).select('+publicKey');
+  if (user && user?.publicKey) {
+    // case: user has already completed account
 
-			return res.status(403).send({
-				error: 'Failed to send email verification code for complete account'
-			});
-		}
+    return res.status(403).send({
+      error: 'Failed to send email verification code for complete account'
+    });
+  }
+
+  // send send verification email
+  await sendEmailVerification({ email });
 
-		// send send verification email
-		await sendEmailVerification({ email });
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to send email verification code'
-		});
-	}
-	
 	return res.status(200).send({
 		message: `Sent an email verification code to ${email}`
 	});
@@ -54,55 +49,47 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
  */
 export const verifyEmailSignup = async (req: Request, res: Response) => {
 	let user, token;
-	try {
-		const { email, code } = req.body;
+  const { email, code } = req.body;
 
-		// initialize user account
-		user = await User.findOne({ email }).select('+publicKey');
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			return res.status(403).send({
-				error: 'Failed email verification for complete user'
-			});
-		}
+  // initialize user account
+  user = await User.findOne({ email }).select('+publicKey');
+  if (user && user?.publicKey) {
+    // case: user has already completed account
+    return res.status(403).send({
+      error: 'Failed email verification for complete user'
+    });
+  }
 
-		if (await getInviteOnlySignup()) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
+  if (await getInviteOnlySignup()) {
+    // Only one user can create an account without being invited. The rest need to be invited in order to make an account
+    const userCount = await User.countDocuments({})
+    if (userCount != 0) {
+      throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+    }
+  }
 
-		// verify email
-		if (await getSmtpConfigured()) {
-			await checkEmailVerification({
-				email,
-				code
-			});
-		}
+  // verify email
+  if (await getSmtpConfigured()) {
+    await checkEmailVerification({
+      email,
+      code
+    });
+  }
 
-		if (!user) {
-			user = await new User({
-				email
-			}).save();
-		}
+  if (!user) {
+    user = await new User({
+      email
+    }).save();
+  }
 
-		// generate temporary signup token
-		token = createToken({
-			payload: {
-				userId: user._id.toString()
-			},
-			expiresIn: await getJwtSignupLifetime(),
-			secret: await getJwtSignupSecret()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed email verification'
-		});
-	}
+  // generate temporary signup token
+  token = createToken({
+    payload: {
+      userId: user._id.toString()
+    },
+    expiresIn: await getJwtSignupLifetime(),
+    secret: await getJwtSignupSecret()
+  });
 
 	return res.status(200).send({
 		message: 'Successfuly verified email',

backend/src/controllers/v1/stripeController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
 import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
 
@@ -10,26 +9,17 @@ import { getStripeSecretKey, getStripeWebhookSecret } from '../../config';
  * @returns
  */
 export const handleWebhook = async (req: Request, res: Response) => {
-	let event;
-	try {
-		// check request for valid stripe signature
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
+  // check request for valid stripe signature
+  const stripe = new Stripe(await getStripeSecretKey(), {
+    apiVersion: '2022-08-01'
+  });
 
-		const sig = req.headers['stripe-signature'] as string;
-		event = stripe.webhooks.constructEvent(
-			req.body,
-			sig,
-			await getStripeWebhookSecret()
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to process webhook'
-		});
-	}
+  const sig = req.headers['stripe-signature'] as string;
+  const event = stripe.webhooks.constructEvent(
+    req.body,
+    sig,
+    await getStripeWebhookSecret()
+  );
 
 	switch (event.type) {
 		case '':

backend/src/controllers/v1/userActionController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { UserAction } from '../../models';
 
 /**
@@ -11,28 +10,19 @@ import { UserAction } from '../../models';
 export const addUserAction = async (req: Request, res: Response) => {
 	// add/record new action [action] for user with id [req.user._id]
 
-	let userAction;
-	try {
-		const { action } = req.body;
+  const { action } = req.body;
 
-		userAction = await UserAction.findOneAndUpdate(
-			{
-				user: req.user._id,
-				action
-			},
-			{ user: req.user._id, action },
-			{
-				new: true,
-				upsert: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to record user action'
-		});
-	}
+  const userAction = await UserAction.findOneAndUpdate(
+    {
+      user: req.user._id,
+      action
+    },
+    { user: req.user._id, action },
+    {
+      new: true,
+      upsert: true
+    }
+  );
 
 	return res.status(200).send({
 		message: 'Successfully recorded user action',
@@ -48,21 +38,12 @@ export const addUserAction = async (req: Request, res: Response) => {
  */
 export const getUserAction = async (req: Request, res: Response) => {
 	// get user action [action] for user with id [req.user._id]
-	let userAction;
-	try {
-		const action: string = req.query.action as string;
+  const action: string = req.query.action as string;
 
-		userAction = await UserAction.findOne({
-			user: req.user._id,
-			action
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get user action'
-		});
-	}
+  const userAction = await UserAction.findOne({
+    user: req.user._id,
+    action
+  });
 
 	return res.status(200).send({
 		userAction

backend/src/controllers/v1/workspaceController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import {
   Workspace,
   Membership,
@@ -14,6 +13,7 @@ import {
   createWorkspace as create,
   deleteWorkspace as deleteWork,
 } from "../../helpers/workspace";
+import { EELicenseService } from '../../ee/services';
 import { addMemberships } from "../../helpers/membership";
 import { ADMIN } from "../../variables";
 
@@ -24,27 +24,18 @@ import { ADMIN } from "../../variables";
  * @returns
  */
 export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-  let publicKeys;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    publicKeys = (
-      await Membership.find({
-        workspace: workspaceId,
-      }).populate<{ user: IUser }>("user", "publicKey")
-    ).map((member) => {
-      return {
-        publicKey: member.user.publicKey,
-        userId: member.user._id,
-      };
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace member public keys",
-    });
-  }
+  const publicKeys = (
+    await Membership.find({
+      workspace: workspaceId,
+    }).populate<{ user: IUser }>("user", "publicKey")
+  ).map((member) => {
+    return {
+      publicKey: member.user.publicKey,
+      userId: member.user._id,
+    };
+  });
 
   return res.status(200).send({
     publicKeys,
@@ -58,20 +49,11 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-  let users;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    users = await Membership.find({
-      workspace: workspaceId,
-    }).populate("user", "+publicKey");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace members",
-    });
-  }
+  const users = await Membership.find({
+    workspace: workspaceId,
+  }).populate("user", "+publicKey");
 
   return res.status(200).send({
     users,
@@ -85,20 +67,11 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaces = async (req: Request, res: Response) => {
-  let workspaces;
-  try {
-    workspaces = (
-      await Membership.find({
-        user: req.user._id,
-      }).populate("workspace")
-    ).map((m) => m.workspace);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspaces",
-    });
-  }
+  const workspaces = (
+    await Membership.find({
+      user: req.user._id,
+    }).populate("workspace")
+  ).map((m) => m.workspace);
 
   return res.status(200).send({
     workspaces,
@@ -112,20 +85,11 @@ export const getWorkspaces = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    workspace = await Workspace.findOne({
-      _id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace",
-    });
-  }
+  const workspace = await Workspace.findOne({
+    _id: workspaceId,
+  });
 
   return res.status(200).send({
     workspace,
@@ -140,43 +104,46 @@ export const getWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const createWorkspace = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceName, organizationId } = req.body;
+  const { workspaceName, organizationId } = req.body;
 
-    // validate organization membership
-    const membershipOrg = await MembershipOrg.findOne({
-      user: req.user._id,
-      organization: organizationId,
-    });
+  // validate organization membership
+  const membershipOrg = await MembershipOrg.findOne({
+    user: req.user._id,
+    organization: organizationId,
+  });
 
-    if (!membershipOrg) {
-      throw new Error("Failed to validate organization membership");
-    }
-
-    if (workspaceName.length < 1) {
-      throw new Error("Workspace names must be at least 1-character long");
-    }
-
-    // create workspace and add user as member
-    workspace = await create({
-      name: workspaceName,
-      organizationId,
-    });
-
-    await addMemberships({
-      userIds: [req.user._id],
-      workspaceId: workspace._id.toString(),
-      roles: [ADMIN],
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to create workspace",
-    });
+  if (!membershipOrg) {
+    throw new Error("Failed to validate organization membership");
   }
 
+  const plan = await EELicenseService.getPlan(organizationId);
+  
+  if (plan.workspaceLimit !== null) {
+    // case: limit imposed on number of workspaces allowed
+    if (plan.workspacesUsed >= plan.workspaceLimit) {
+      // case: number of workspaces used exceeds the number of workspaces allowed
+      return res.status(400).send({
+        message: 'Failed to create workspace due to plan limit reached. Upgrade plan to add more workspaces.'
+      });
+    }
+  }
+
+  if (workspaceName.length < 1) {
+    throw new Error("Workspace names must be at least 1-character long");
+  }
+
+  // create workspace and add user as member
+  const workspace = await create({
+    name: workspaceName,
+    organizationId,
+  });
+
+  await addMemberships({
+    userIds: [req.user._id],
+    workspaceId: workspace._id.toString(),
+    roles: [ADMIN],
+  });
+
   return res.status(200).send({
     workspace,
   });
@@ -189,20 +156,12 @@ export const createWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteWorkspace = async (req: Request, res: Response) => {
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    // delete workspace
-    await deleteWork({
-      id: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to delete workspace",
-    });
-  }
+  // delete workspace
+  await deleteWork({
+    id: workspaceId,
+  });
 
   return res.status(200).send({
     message: "Successfully deleted workspace",
@@ -216,29 +175,20 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
  * @returns
  */
 export const changeWorkspaceName = async (req: Request, res: Response) => {
-  let workspace;
-  try {
-    const { workspaceId } = req.params;
-    const { name } = req.body;
+  const { workspaceId } = req.params;
+  const { name } = req.body;
 
-    workspace = await Workspace.findOneAndUpdate(
-      {
-        _id: workspaceId,
-      },
-      {
-        name,
-      },
-      {
-        new: true,
-      }
-    );
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to change workspace name",
-    });
-  }
+  const workspace = await Workspace.findOneAndUpdate(
+    {
+      _id: workspaceId,
+    },
+    {
+      name,
+    },
+    {
+      new: true,
+    }
+  );
 
   return res.status(200).send({
     message: "Successfully changed workspace name",
@@ -253,20 +203,11 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
  * @returns
  */
 export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-  let integrations;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    integrations = await Integration.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integrations",
-    });
-  }
+  const integrations = await Integration.find({
+    workspace: workspaceId,
+  });
 
   return res.status(200).send({
     integrations,
@@ -283,20 +224,11 @@ export const getWorkspaceIntegrationAuthorizations = async (
   req: Request,
   res: Response
 ) => {
-  let authorizations;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    authorizations = await IntegrationAuth.find({
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace integration authorizations",
-    });
-  }
+  const authorizations = await IntegrationAuth.find({
+    workspace: workspaceId,
+  });
 
   return res.status(200).send({
     authorizations,
@@ -313,21 +245,12 @@ export const getWorkspaceServiceTokens = async (
   req: Request,
   res: Response
 ) => {
-  let serviceTokens;
-  try {
-    const { workspaceId } = req.params;
-    // ?? FIX.
-    serviceTokens = await ServiceToken.find({
-      user: req.user._id,
-      workspace: workspaceId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace service tokens",
-    });
-  }
+  const { workspaceId } = req.params;
+  // ?? FIX.
+  const serviceTokens = await ServiceToken.find({
+    user: req.user._id,
+    workspace: workspaceId,
+  });
 
   return res.status(200).send({
     serviceTokens,

backend/src/controllers/v2/apiKeyDataController.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
 import crypto from 'crypto';
 import bcrypt from 'bcrypt';
@@ -14,18 +13,9 @@ import { getSaltRounds } from '../../config';
  * @returns 
  */
 export const getAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        apiKeyData = await APIKeyData.find({
-            user: req.user._id
-        });
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to get API key data'
-        });
-    }
+    const apiKeyData = await APIKeyData.find({
+        user: req.user._id
+    });
     
     return res.status(200).send({
         apiKeyData
@@ -38,39 +28,30 @@ export const getAPIKeyData = async (req: Request, res: Response) => {
  * @param res 
  */
 export const createAPIKeyData = async (req: Request, res: Response) => {
-    let apiKey, apiKeyData;
-    try {
-        const { name, expiresIn } = req.body;
-        
-        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, await getSaltRounds());
-        
-		const expiresAt = new Date();
-		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
-        
-        apiKeyData = await new APIKeyData({
-            name,
-            lastUsed: new Date(),
-            expiresAt,
-            user: req.user._id,
-            secretHash
-        }).save();
-        
-        // return api key data without sensitive data
-        apiKeyData = await APIKeyData.findById(apiKeyData._id);
-        
-        if (!apiKeyData) throw new Error('Failed to find API key data');
-        
-        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
-            
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to API key data'
-        });
-    }
+    const { name, expiresIn } = req.body;
     
+    const secret = crypto.randomBytes(16).toString('hex');
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+    
+    const expiresAt = new Date();
+    expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+    
+    let apiKeyData = await new APIKeyData({
+        name,
+        lastUsed: new Date(),
+        expiresAt,
+        user: req.user._id,
+        secretHash
+    }).save();
+    
+    // return api key data without sensitive data
+    // FIX: fix this any
+    apiKeyData = await APIKeyData.findById(apiKeyData._id) as any
+    
+    if (!apiKeyData) throw new Error('Failed to find API key data');
+    
+    const apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
+            
     return res.status(200).send({
         apiKey,
         apiKeyData
@@ -84,21 +65,10 @@ export const createAPIKeyData = async (req: Request, res: Response) => {
  * @returns 
  */
 export const deleteAPIKeyData = async (req: Request, res: Response) => {
-    let apiKeyData;
-    try {
-        const { apiKeyDataId } = req.params;
-
-        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
-        
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
-        return res.status(400).send({
-            message: 'Failed to delete API key data'
-        });
-    }
+    const { apiKeyDataId } = req.params;
+    const apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
     
     return res.status(200).send({
         apiKeyData
     });
-}
+}

backend/src/controllers/v2/authController.ts

@@ -1,7 +1,6 @@
 /* eslint-disable @typescript-eslint/no-var-requires */
 import { Request, Response } from 'express';
 import jwt from 'jsonwebtoken';
-import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
 const jsrp = require('jsrp');
 import { User, LoginSRPDetail } from '../../models';
@@ -35,47 +34,40 @@ declare module 'jsonwebtoken' {
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-  try {
-    const {
-      email,
-      clientPublicKey
-    }: { email: string; clientPublicKey: string } = req.body;
+  const {
+    email,
+    clientPublicKey
+  }: { email: string; clientPublicKey: string } = req.body;
 
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier');
+  const user = await User.findOne({
+    email
+  }).select('+salt +verifier');
 
-    if (!user) throw new Error('Failed to find user');
+  if (!user) throw new Error('Failed to find user');
 
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier
-      },
-      async () => {
-        // generate server-side public key
-        const serverPublicKey = server.getPublicKey();
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier
+    },
+    async () => {
+      // generate server-side public key
+      const serverPublicKey = server.getPublicKey();
 
-        await LoginSRPDetail.findOneAndReplace({ email: email }, {
-          email: email,
-          clientPublicKey: clientPublicKey,
-          serverBInt: bigintConversion.bigintToBuf(server.bInt),
-        }, { upsert: true, returnNewDocument: false });
+      await LoginSRPDetail.findOneAndReplace({ email: email }, {
+        email: email,
+        clientPublicKey: clientPublicKey,
+        serverBInt: bigintConversion.bigintToBuf(server.bInt),
+      }, { upsert: true, returnNewDocument: false });
 
-        return res.status(200).send({
-          serverPublicKey,
-          salt: user.salt
-        });
-      }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to start authentication process'
-    });
-  }
+      return res.status(200).send({
+        serverPublicKey,
+        salt: user.salt
+      });
+    }
+  );
+  
 };
 
 /**
@@ -86,149 +78,143 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-  try {
+  if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
 
-    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+  const { email, clientProof } = req.body;
+  const user = await User.findOne({
+    email
+  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices');
 
-    const { email, clientProof } = req.body;
-    const user = await User.findOne({
-      email
-    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+  if (!user) throw new Error('Failed to find user');
 
-    if (!user) throw new Error('Failed to find user');
+  const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
 
-    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+  if (!loginSRPDetail) {
+    return BadRequestError(Error("Failed to find login details for SRP"))
+  }
 
-    if (!loginSRPDetail) {
-      return BadRequestError(Error("Failed to find login details for SRP"))
-    }
+  const server = new jsrp.server();
+  server.init(
+    {
+      salt: user.salt,
+      verifier: user.verifier,
+      b: loginSRPDetail.serverBInt
+    },
+    async () => {
+      server.setClientPublicKey(loginSRPDetail.clientPublicKey);
 
-    const server = new jsrp.server();
-    server.init(
-      {
-        salt: user.salt,
-        verifier: user.verifier,
-        b: loginSRPDetail.serverBInt
-      },
-      async () => {
-        server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+      // compare server and client shared keys
+      if (server.checkClientProof(clientProof)) {
+        if (user.isMfaEnabled) {
+          // case: user has MFA enabled
 
-        // compare server and client shared keys
-        if (server.checkClientProof(clientProof)) {
-
-          if (user.isMfaEnabled) {
-            // case: user has MFA enabled
-
-            // generate temporary MFA token
-            const token = createToken({
-              payload: {
-                userId: user._id.toString()
-              },
-              expiresIn: await getJwtMfaLifetime(),
-              secret: await getJwtMfaSecret()
-            });
-
-            const code = await TokenService.createToken({
-              type: TOKEN_EMAIL_MFA,
-              email
-            });
-
-            // send MFA code [code] to [email]
-            await sendMail({
-              template: 'emailMfa.handlebars',
-              subjectLine: 'Infisical MFA code',
-              recipients: [email],
-              substitutions: {
-                code
-              }
-            });
-
-            return res.status(200).send({
-              mfaEnabled: true,
-              token
-            });
-          }
-
-          await checkUserDevice({
-            user,
-            ip: req.ip,
-            userAgent: req.headers['user-agent'] ?? ''
+          // generate temporary MFA token
+          const token = createToken({
+            payload: {
+              userId: user._id.toString()
+            },
+            expiresIn: await getJwtMfaLifetime(),
+            secret: await getJwtMfaSecret()
           });
 
-          // issue tokens
-          const tokens = await issueAuthTokens({ userId: user._id.toString() });
-
-          // store (refresh) token in httpOnly cookie
-          res.cookie('jid', tokens.refreshToken, {
-            httpOnly: true,
-            path: '/',
-            sameSite: 'strict',
-            secure: await getHttpsEnabled()
+          const code = await TokenService.createToken({
+            type: TOKEN_EMAIL_MFA,
+            email
           });
 
-          // case: user does not have MFA enablgged
-          // return (access) token in response
-
-          interface ResponseData {
-            mfaEnabled: boolean;
-            encryptionVersion: any;
-            protectedKey?: string;
-            protectedKeyIV?: string;
-            protectedKeyTag?: string;
-            token: string;
-            publicKey?: string;
-            encryptedPrivateKey?: string;
-            iv?: string;
-            tag?: string;
-          }
-
-          const response: ResponseData = {
-            mfaEnabled: false,
-            encryptionVersion: user.encryptionVersion,
-            token: tokens.token,
-            publicKey: user.publicKey,
-            encryptedPrivateKey: user.encryptedPrivateKey,
-            iv: user.iv,
-            tag: user.tag
-          }
-
-          if (
-            user?.protectedKey &&
-            user?.protectedKeyIV &&
-            user?.protectedKeyTag
-          ) {
-            response.protectedKey = user.protectedKey;
-            response.protectedKeyIV = user.protectedKeyIV
-            response.protectedKeyTag = user.protectedKeyTag;
-          }
-
-          const loginAction = await EELogService.createAction({
-            name: ACTION_LOGIN,
-            userId: user._id
+          // send MFA code [code] to [email]
+          await sendMail({
+            template: 'emailMfa.handlebars',
+            subjectLine: 'Infisical MFA code',
+            recipients: [email],
+            substitutions: {
+              code
+            }
           });
 
-          loginAction && await EELogService.createLog({
-            userId: user._id,
-            actions: [loginAction],
-            channel: getChannelFromUserAgent(req.headers['user-agent']),
-            ipAddress: req.ip
+          return res.status(200).send({
+            mfaEnabled: true,
+            token
           });
-
-          return res.status(200).send(response);
         }
 
-        return res.status(400).send({
-          message: 'Failed to authenticate. Try again?'
+        await checkUserDevice({
+          user,
+          ip: req.realIP,
+          userAgent: req.headers['user-agent'] ?? ''
         });
+
+        // issue tokens
+        const tokens = await issueAuthTokens({ 
+          userId: user._id,
+          ip: req.realIP,
+          userAgent: req.headers['user-agent'] ?? ''
+        });
+
+        // store (refresh) token in httpOnly cookie
+        res.cookie('jid', tokens.refreshToken, {
+          httpOnly: true,
+          path: '/',
+          sameSite: 'strict',
+          secure: await getHttpsEnabled()
+        });
+
+        // case: user does not have MFA enabled
+        // return (access) token in response
+
+        interface ResponseData {
+          mfaEnabled: boolean;
+          encryptionVersion: any;
+          protectedKey?: string;
+          protectedKeyIV?: string;
+          protectedKeyTag?: string;
+          token: string;
+          publicKey?: string;
+          encryptedPrivateKey?: string;
+          iv?: string;
+          tag?: string;
+        }
+
+        const response: ResponseData = {
+          mfaEnabled: false,
+          encryptionVersion: user.encryptionVersion,
+          token: tokens.token,
+          publicKey: user.publicKey,
+          encryptedPrivateKey: user.encryptedPrivateKey,
+          iv: user.iv,
+          tag: user.tag
+        }
+
+        if (
+          user?.protectedKey &&
+          user?.protectedKeyIV &&
+          user?.protectedKeyTag
+        ) {
+          response.protectedKey = user.protectedKey;
+          response.protectedKeyIV = user.protectedKeyIV
+          response.protectedKeyTag = user.protectedKeyTag;
+        }
+
+        const loginAction = await EELogService.createAction({
+          name: ACTION_LOGIN,
+          userId: user._id
+        });
+
+        loginAction && await EELogService.createLog({
+          userId: user._id,
+          actions: [loginAction],
+          channel: getChannelFromUserAgent(req.headers['user-agent']),
+          ipAddress: req.ip
+        });
+
+        return res.status(200).send(response);
       }
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to authenticate. Try again?'
-    });
-  }
+
+      return res.status(400).send({
+        message: 'Failed to authenticate. Try again?'
+      });
+    }
+  );
 };
 
 /**
@@ -237,30 +223,22 @@ export const login2 = async (req: Request, res: Response) => {
  * @param res 
  */
 export const sendMfaToken = async (req: Request, res: Response) => {
-  try {
-    const { email } = req.body;
+  const { email } = req.body;
 
-    const code = await TokenService.createToken({
-      type: TOKEN_EMAIL_MFA,
-      email
-    });
+  const code = await TokenService.createToken({
+    type: TOKEN_EMAIL_MFA,
+    email
+  });
 
-    // send MFA code [code] to [email]
-    await sendMail({
-      template: 'emailMfa.handlebars',
-      subjectLine: 'Infisical MFA code',
-      recipients: [email],
-      substitutions: {
-        code
-      }
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to send MFA code'
-    });
-  }
+  // send MFA code [code] to [email]
+  await sendMail({
+    template: 'emailMfa.handlebars',
+    subjectLine: 'Infisical MFA code',
+    recipients: [email],
+    substitutions: {
+      code
+    }
+  });
 
   return res.status(200).send({
     message: 'Successfully sent new MFA code'
@@ -284,7 +262,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
 
   const user = await User.findOne({
     email
-  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+  }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices');
 
   if (!user) throw new Error('Failed to find user');
 
@@ -292,12 +270,16 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
 
   await checkUserDevice({
     user,
-    ip: req.ip,
+    ip: req.realIP,
     userAgent: req.headers['user-agent'] ?? ''
   });
 
   // issue tokens
-  const tokens = await issueAuthTokens({ userId: user._id.toString() });
+  const tokens = await issueAuthTokens({ 
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers['user-agent'] ?? ''
+  });
 
   // store (refresh) token in httpOnly cookie
   res.cookie('jid', tokens.refreshToken, {
@@ -355,7 +337,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
     userId: user._id,
     actions: [loginAction],
     channel: getChannelFromUserAgent(req.headers['user-agent']),
-    ipAddress: req.ip
+    ipAddress: req.realIP
   });
 
   return res.status(200).send(resObj);

backend/src/controllers/v2/environmentController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import {
   Secret,
   ServiceToken,
@@ -9,7 +8,8 @@ import {
   Membership,
 } from '../../models';
 import { SecretVersion } from '../../ee/models';
-import { BadRequestError } from '../../utils/errors';
+import { EELicenseService } from '../../ee/services';
+import { BadRequestError, WorkspaceNotFoundError } from '../../utils/errors';
 import _ from 'lodash';
 import { PERMISSION_READ_SECRETS, PERMISSION_WRITE_SECRETS } from '../../variables';
 
@@ -23,32 +23,43 @@ export const createWorkspaceEnvironment = async (
   req: Request,
   res: Response
 ) => {
+
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug } = req.body;
-  try {
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (
-      !workspace ||
-      workspace?.environments.find(
-        ({ name, slug }) => slug === environmentSlug || environmentName === name
-      )
-    ) {
-      throw new Error('Failed to create workspace environment');
+  const workspace = await Workspace.findById(workspaceId).exec();
+  
+  if (!workspace) throw WorkspaceNotFoundError();
+  
+  const plan = await EELicenseService.getPlan(workspace.organization.toString());
+  
+  if (plan.environmentLimit !== null) {
+    // case: limit imposed on number of environments allowed
+    if (workspace.environments.length >= plan.environmentLimit) {
+      // case: number of environments used exceeds the number of environments allowed
+      
+      return res.status(400).send({
+        message: 'Failed to create environment due to environment limit reached. Upgrade plan to create more environments.'
+      });
     }
-
-    workspace?.environments.push({
-      name: environmentName,
-      slug: environmentSlug.toLowerCase(),
-    });
-    await workspace.save();
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to create new workspace environment',
-    });
   }
 
+  if (
+    !workspace ||
+    workspace?.environments.find(
+      ({ name, slug }) => slug === environmentSlug || environmentName === name
+    )
+  ) {
+    throw new Error('Failed to create workspace environment');
+  }
+
+  workspace?.environments.push({
+    name: environmentName,
+    slug: environmentSlug.toLowerCase(),
+  });
+  await workspace.save();
+
+  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
+
   return res.status(200).send({
     message: 'Successfully created new environment',
     workspace: workspaceId,
@@ -72,75 +83,67 @@ export const renameWorkspaceEnvironment = async (
 ) => {
   const { workspaceId } = req.params;
   const { environmentName, environmentSlug, oldEnvironmentSlug } = req.body;
-  try {
-    // user should pass both new slug and env name
-    if (!environmentSlug || !environmentName) {
-      throw new Error('Invalid environment given.');
-    }
-
-    // atomic update the env to avoid conflict
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (!workspace) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    const isEnvExist = workspace.environments.some(
-      ({ name, slug }) =>
-        slug !== oldEnvironmentSlug &&
-        (name === environmentName || slug === environmentSlug)
-    );
-    if (isEnvExist) {
-      throw new Error('Invalid environment given');
-    }
-
-    const envIndex = workspace?.environments.findIndex(
-      ({ slug }) => slug === oldEnvironmentSlug
-    );
-    if (envIndex === -1) {
-      throw new Error('Invalid environment given');
-    }
-
-    workspace.environments[envIndex].name = environmentName;
-    workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
-
-    await workspace.save();
-    await Secret.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await SecretVersion.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await ServiceToken.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await ServiceTokenData.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await Integration.updateMany(
-      { workspace: workspaceId, environment: oldEnvironmentSlug },
-      { environment: environmentSlug }
-    );
-    await Membership.updateMany(
-      {
-        workspace: workspaceId,
-        "deniedPermissions.environmentSlug": oldEnvironmentSlug
-      },
-      { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
-      { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
-    )
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to update workspace environment',
-    });
+  // user should pass both new slug and env name
+  if (!environmentSlug || !environmentName) {
+    throw new Error('Invalid environment given.');
   }
 
+  // atomic update the env to avoid conflict
+  const workspace = await Workspace.findById(workspaceId).exec();
+  if (!workspace) {
+    throw new Error('Failed to create workspace environment');
+  }
+
+  const isEnvExist = workspace.environments.some(
+    ({ name, slug }) =>
+      slug !== oldEnvironmentSlug &&
+      (name === environmentName || slug === environmentSlug)
+  );
+  if (isEnvExist) {
+    throw new Error('Invalid environment given');
+  }
+
+  const envIndex = workspace?.environments.findIndex(
+    ({ slug }) => slug === oldEnvironmentSlug
+  );
+  if (envIndex === -1) {
+    throw new Error('Invalid environment given');
+  }
+
+  workspace.environments[envIndex].name = environmentName;
+  workspace.environments[envIndex].slug = environmentSlug.toLowerCase();
+
+  await workspace.save();
+  await Secret.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await SecretVersion.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await ServiceToken.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await ServiceTokenData.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await Integration.updateMany(
+    { workspace: workspaceId, environment: oldEnvironmentSlug },
+    { environment: environmentSlug }
+  );
+  await Membership.updateMany(
+    {
+      workspace: workspaceId,
+      "deniedPermissions.environmentSlug": oldEnvironmentSlug
+    },
+    { $set: { "deniedPermissions.$[element].environmentSlug": environmentSlug } },
+    { arrayFilters: [{ "element.environmentSlug": oldEnvironmentSlug }] }
+  )
+
+
   return res.status(200).send({
     message: 'Successfully update environment',
     workspace: workspaceId,
@@ -163,57 +166,50 @@ export const deleteWorkspaceEnvironment = async (
 ) => {
   const { workspaceId } = req.params;
   const { environmentSlug } = req.body;
-  try {
-    // atomic update the env to avoid conflict
-    const workspace = await Workspace.findById(workspaceId).exec();
-    if (!workspace) {
-      throw new Error('Failed to create workspace environment');
-    }
-
-    const envIndex = workspace?.environments.findIndex(
-      ({ slug }) => slug === environmentSlug
-    );
-    if (envIndex === -1) {
-      throw new Error('Invalid environment given');
-    }
-
-    workspace.environments.splice(envIndex, 1);
-    await workspace.save();
-
-    // clean up
-    await Secret.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await SecretVersion.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceToken.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await ServiceTokenData.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await Integration.deleteMany({
-      workspace: workspaceId,
-      environment: environmentSlug,
-    });
-    await Membership.updateMany(
-      { workspace: workspaceId },
-      { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
-    )
-
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: 'Failed to delete workspace environment',
-    });
+  // atomic update the env to avoid conflict
+  const workspace = await Workspace.findById(workspaceId).exec();
+  if (!workspace) {
+    throw new Error('Failed to create workspace environment');
   }
 
+  const envIndex = workspace?.environments.findIndex(
+    ({ slug }) => slug === environmentSlug
+  );
+  if (envIndex === -1) {
+    throw new Error('Invalid environment given');
+  }
+
+  workspace.environments.splice(envIndex, 1);
+  await workspace.save();
+
+  // clean up
+  await Secret.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await SecretVersion.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await ServiceToken.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await ServiceTokenData.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await Integration.deleteMany({
+    workspace: workspaceId,
+    environment: environmentSlug,
+  });
+  await Membership.updateMany(
+    { workspace: workspaceId },
+    { $pull: { deniedPermissions: { environmentSlug: environmentSlug } } }
+  );
+
+  await EELicenseService.refreshPlan(workspace.organization.toString(), workspaceId);
+
   return res.status(200).send({
     message: 'Successfully deleted environment',
     workspace: workspaceId,

backend/src/controllers/v2/organizationsController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { 
     MembershipOrg,
@@ -49,20 +48,11 @@ export const getOrganizationMemberships = async (req: Request, res: Response) =>
         }
     }   
     */
-    let memberships;
-    try {
-        const { organizationId } = req.params;
+    const { organizationId } = req.params;
 
-		memberships = await MembershipOrg.find({
+		const memberships = await MembershipOrg.find({
 			organization: organizationId
 		}).populate('user', '+publicKey');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get organization memberships'
-		});
-    }
     
     return res.status(200).send({
         memberships
@@ -128,26 +118,17 @@ export const updateOrganizationMembership = async (req: Request, res: Response)
         }
     }   
     */
-    let membership;
-    try {
-        const { membershipId } = req.params;
-        const { role } = req.body;
-        
-        membership = await MembershipOrg.findByIdAndUpdate(
-            membershipId,
-            {
-                role
-            }, {
-                new: true
-            }
-        );
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update organization membership'
-		});
-    }
+    const { membershipId } = req.params;
+    const { role } = req.body;
+    
+    const membership = await MembershipOrg.findByIdAndUpdate(
+        membershipId,
+        {
+            role
+        }, {
+            new: true
+        }
+    );
     
     return res.status(200).send({
         membership
@@ -197,25 +178,16 @@ export const deleteOrganizationMembership = async (req: Request, res: Response)
         }
     }   
     */
-    let membership;
-    try {
-        const { membershipId } = req.params;
-        
-        // delete organization membership
-        membership = await deleteMembershipOrg({
-            membershipOrgId: membershipId
-        });
+    const { membershipId } = req.params;
+    
+    // delete organization membership
+    const membership = await deleteMembershipOrg({
+        membershipOrgId: membershipId
+    });
 
-        await updateSubscriptionOrgQuantity({
+    await updateSubscriptionOrgQuantity({
 			organizationId: membership.organization.toString()
 		});
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete organization membership'
-		});	
-    }
 
     return res.status(200).send({
         membership
@@ -303,4 +275,4 @@ export const getOrganizationServiceAccounts = async (req: Request, res: Response
     return res.status(200).send({
         serviceAccounts
     });
-}
+}

backend/src/controllers/v2/secretsController.ts

@@ -1,6 +1,6 @@
 import { Types } from "mongoose";
 import { Request, Response } from "express";
-import { ISecret, Secret } from "../../models";
+import { ISecret, Secret, ServiceTokenData } from "../../models";
 import { IAction, SecretVersion } from "../../ee/models";
 import {
   SECRET_PERSONAL,
@@ -29,6 +29,7 @@ import { BatchSecretRequest, BatchSecret } from "../../types/secret";
 import Folder from "../../models/folder";
 import {
   getFolderByPath,
+  getFolderIdFromServiceToken,
   searchByFolderId,
 } from "../../services/FolderService";
 
@@ -45,14 +46,15 @@ export const batchSecrets = async (req: Request, res: Response) => {
   const {
     workspaceId,
     environment,
-    folderId,
     requests,
+    secretPath,
   }: {
     workspaceId: string;
     environment: string;
-    folderId: string;
     requests: BatchSecretRequest[];
+    secretPath: string;
   } = req.body;
+  let folderId = req.body.folderId as string;
 
   const createSecrets: BatchSecret[] = [];
   const updateSecrets: BatchSecret[] = [];
@@ -70,6 +72,25 @@ export const batchSecrets = async (req: Request, res: Response) => {
     if (!folder) throw BadRequestError({ message: "Folder not found" });
   }
 
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if (
+      (!secretPath && folderId !== "root") ||
+      (secretPath && secretPath !== serviceTkScopedSecretPath)
+    ) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  if (secretPath) {
+    folderId = await getFolderIdFromServiceToken(
+      workspaceId,
+      environment,
+      secretPath
+    );
+  }
+
   for await (const request of requests) {
     // do a validation
 
@@ -152,6 +173,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
           numberOfSecrets: createdSecrets.length,
           environment,
           workspaceId,
+          folderId,
           channel,
           userAgent: req.headers?.["user-agent"],
         },
@@ -218,6 +240,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
           algorithm: ALGORITHM_AES_256_GCM,
           keyEncoding: ENCODING_SCHEME_UTF8,
           tags: u.tags,
+          folder: u.folder,
         })
     );
 
@@ -247,6 +270,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
           numberOfSecrets: updateSecrets.length,
           environment,
           workspaceId,
+          folderId,
           channel,
           userAgent: req.headers?.["user-agent"],
         },
@@ -296,7 +320,7 @@ export const batchSecrets = async (req: Request, res: Response) => {
       workspaceId: new Types.ObjectId(workspaceId),
       actions,
       channel,
-      ipAddress: req.ip,
+      ipAddress: req.realIP,
     });
   }
 
@@ -394,8 +418,13 @@ export const createSecrets = async (req: Request, res: Response) => {
   const {
     workspaceId,
     environment,
-    folderId,
-  }: { workspaceId: string; environment: string; folderId: string } = req.body;
+    secretPath,
+  }: {
+    workspaceId: string;
+    environment: string;
+    secretPath?: string;
+  } = req.body;
+  let folderId = req.body.folderId;
 
   if (req.user) {
     const hasAccess = await userHasWorkspaceAccess(
@@ -420,6 +449,24 @@ export const createSecrets = async (req: Request, res: Response) => {
     // case: create 1 secret
     listOfSecretsToCreate = [req.body.secrets];
   }
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if (
+      (!secretPath && folderId !== "root") ||
+      (secretPath && secretPath !== serviceTkScopedSecretPath)
+    ) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  if (secretPath) {
+    folderId = await getFolderIdFromServiceToken(
+      workspaceId,
+      environment,
+      secretPath
+    );
+  }
 
   // get secret blind index salt
   const salt = await SecretService.getSecretBlindIndexSalt({
@@ -562,7 +609,7 @@ export const createSecrets = async (req: Request, res: Response) => {
       workspaceId: new Types.ObjectId(workspaceId),
       actions: [addAction],
       channel,
-      ipAddress: req.ip,
+      ipAddress: req.realIP,
     }));
 
   // (EE) take a secret snapshot
@@ -584,6 +631,7 @@ export const createSecrets = async (req: Request, res: Response) => {
         environment,
         workspaceId,
         channel: channel,
+        folderId,
         userAgent: req.headers?.["user-agent"],
       },
     });
@@ -659,6 +707,18 @@ export const getSecrets = async (req: Request, res: Response) => {
     if (!folder) throw BadRequestError({ message: "Folder not found" });
   }
 
+  if (req.authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = req.authData.authPayload;
+    // in service token when not giving secretpath folderid must be root
+    // this is to avoid giving folderid when service tokens are used
+    if (
+      (!secretPath && folderId !== "root") ||
+      (secretPath && secretPath !== serviceTkScopedSecretPath)
+    ) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+
   if (folders && secretPath) {
     if (!folders) throw BadRequestError({ message: "Folder not found" });
     const folder = getFolderByPath(folders.nodes, secretPath as string);
@@ -784,7 +844,7 @@ export const getSecrets = async (req: Request, res: Response) => {
       workspaceId: new Types.ObjectId(workspaceId as string),
       actions: [readAction],
       channel,
-      ipAddress: req.ip,
+      ipAddress: req.realIP,
     }));
 
   const postHogClient = await TelemetryService.getPostHogClient();
@@ -799,6 +859,7 @@ export const getSecrets = async (req: Request, res: Response) => {
         environment,
         workspaceId,
         channel,
+        folderId,
         userAgent: req.headers?.["user-agent"],
       },
     });
@@ -1019,7 +1080,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
         workspaceId: new Types.ObjectId(key),
         actions: [updateAction],
         channel,
-        ipAddress: req.ip,
+        ipAddress: req.realIP,
       }));
 
     // (EE) take a secret snapshot
@@ -1157,7 +1218,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
         workspaceId: new Types.ObjectId(key),
         actions: [deleteAction],
         channel,
-        ipAddress: req.ip,
+        ipAddress: req.realIP,
       }));
 
     // (EE) take a secret snapshot

backend/src/controllers/v2/serviceTokenDataController.ts

@@ -1,30 +1,27 @@
-import * as Sentry from '@sentry/node';
-import { Request, Response } from 'express';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
+import { Request, Response } from "express";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
+import { User, ServiceAccount, ServiceTokenData } from "../../models";
+import { userHasWorkspaceAccess } from "../../ee/helpers/checkMembershipPermissions";
 import {
-    User,
-    ServiceAccount,
-    ServiceTokenData
-} from '../../models';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
-import { 
-    PERMISSION_READ_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN
-} from '../../variables';
-import { getSaltRounds } from '../../config';
-import { BadRequestError } from '../../utils/errors';
+  PERMISSION_READ_SECRETS,
+  AUTH_MODE_JWT,
+  AUTH_MODE_SERVICE_ACCOUNT,
+  AUTH_MODE_SERVICE_TOKEN,
+} from "../../variables";
+import { getSaltRounds } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import Folder from "../../models/folder";
+import { getFolderByPath } from "../../services/FolderService";
 
 /**
  * Return service token data associated with service token on request
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const getServiceTokenData = async (req: Request, res: Response) => {
-    /* 
+  /* 
     #swagger.summary = 'Return Infisical Token data'
     #swagger.description = 'Return Infisical Token data'
     
@@ -37,111 +34,135 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
             "application/json": {
                 "schema": { 
                     "type": "object",
-					"properties": {
+          "properties": {
                         "serviceTokenData": {
                             "type": "object",
                             $ref: "#/components/schemas/ServiceTokenData",
                             "description": "Details of service token"
                         }
-					}
+          }
                 }
             }           
         }
     }   
     */
 
-    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
-        message: 'Failed accepted client validation for service token data'
+  if (!(req.authData.authPayload instanceof ServiceTokenData))
+    throw BadRequestError({
+      message: "Failed accepted client validation for service token data",
     });
 
-    const serviceTokenData = await ServiceTokenData
-        .findById(req.authData.authPayload._id)
-        .select('+encryptedKey +iv +tag')
-        .populate('user');
+  const serviceTokenData = await ServiceTokenData.findById(
+    req.authData.authPayload._id
+  )
+    .select("+encryptedKey +iv +tag")
+    .populate("user");
 
-    return res.status(200).json(serviceTokenData);
-}
+  return res.status(200).json(serviceTokenData);
+};
 
 /**
  * Create new service token data for workspace with id [workspaceId] and
  * environment [environment].
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const createServiceTokenData = async (req: Request, res: Response) => {
-    let serviceTokenData;
+  let serviceTokenData;
 
-    const {
-        name,
-        workspaceId,
-        environment,
-        encryptedKey,
-        iv,
-        tag,
-        expiresIn,
-        permissions
-    } = req.body;
+  const {
+    name,
+    workspaceId,
+    environment,
+    encryptedKey,
+    iv,
+    tag,
+    expiresIn,
+    secretPath,
+    permissions,
+  } = req.body;
 
-    const secret = crypto.randomBytes(16).toString('hex');
-    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  });
 
-    let expiresAt; 
-    if (expiresIn) {
-        expiresAt = new Date()
-        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (folder == undefined) {
+      throw BadRequestError({ message: "Path for service token does not exist" })
     }
+  }
 
-    let user, serviceAccount;
-    
-    if (req.authData.authMode === AUTH_MODE_JWT && req.authData.authPayload instanceof User) {
-        user = req.authData.authPayload._id;
-    }
+  const secret = crypto.randomBytes(16).toString("hex");
+  const secretHash = await bcrypt.hash(secret, await getSaltRounds());
 
-    if (req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && req.authData.authPayload instanceof ServiceAccount) {
-        serviceAccount = req.authData.authPayload._id;
-    }
-        
-    serviceTokenData = await new ServiceTokenData({
-        name,
-        workspace: workspaceId,
-        environment,
-        user,
-        serviceAccount,
-        lastUsed: new Date(),
-        expiresAt,
-        secretHash,
-        encryptedKey,
-        iv,
-        tag,
-        permissions
-    }).save();
+  let expiresAt;
+  if (expiresIn) {
+    expiresAt = new Date();
+    expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+  }
 
-    // return service token data without sensitive data
-    serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+  let user, serviceAccount;
 
-    if (!serviceTokenData) throw new Error('Failed to find service token data');
+  if (
+    req.authData.authMode === AUTH_MODE_JWT &&
+    req.authData.authPayload instanceof User
+  ) {
+    user = req.authData.authPayload._id;
+  }
 
-    const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+  if (
+    req.authData.authMode === AUTH_MODE_SERVICE_ACCOUNT &&
+    req.authData.authPayload instanceof ServiceAccount
+  ) {
+    serviceAccount = req.authData.authPayload._id;
+  }
 
-    return res.status(200).send({
-        serviceToken,
-        serviceTokenData
-    });
-}
+  serviceTokenData = await new ServiceTokenData({
+    name,
+    workspace: workspaceId,
+    environment,
+    user,
+    serviceAccount,
+    lastUsed: new Date(),
+    expiresAt,
+    secretHash,
+    encryptedKey,
+    iv,
+    tag,
+    secretPath,
+    permissions,
+  }).save();
+
+  // return service token data without sensitive data
+  serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+  if (!serviceTokenData) throw new Error("Failed to find service token data");
+
+  const serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
+  return res.status(200).send({
+    serviceToken,
+    serviceTokenData,
+  });
+};
 
 /**
  * Delete service token data with id [serviceTokenDataId].
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
  */
 export const deleteServiceTokenData = async (req: Request, res: Response) => {
-    const { serviceTokenDataId } = req.params;
+  const { serviceTokenDataId } = req.params;
 
-    const serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+  const serviceTokenData = await ServiceTokenData.findByIdAndDelete(
+    serviceTokenDataId
+  );
 
-    return res.status(200).send({
-        serviceTokenData
-    });
-}
+  return res.status(200).send({
+    serviceTokenData,
+  });
+};

backend/src/controllers/v2/signupController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { User, MembershipOrg } from '../../models';
 import { completeAccount } from '../../helpers/user';
 import {
@@ -20,136 +19,130 @@ import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
  */
 export const completeAccountSignup = async (req: Request, res: Response) => {
 	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier,
-			organizationName
-		}: {
-			email: string;
-			firstName: string;
-			lastName: string;
-			protectedKey: string;
-			protectedKeyIV: string;
-			protectedKeyTag: string;
-			publicKey: string;
-			encryptedPrivateKey: string;
-			encryptedPrivateKeyIV: string;
-			encryptedPrivateKeyTag: string;
-			salt: string;
-			verifier: string;
-			organizationName: string;
-		} = req.body;
+  const {
+    email,
+    firstName,
+    lastName,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier,
+    organizationName
+  }: {
+    email: string;
+    firstName: string;
+    lastName: string;
+    protectedKey: string;
+    protectedKeyIV: string;
+    protectedKeyTag: string;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    encryptedPrivateKeyIV: string;
+    encryptedPrivateKeyTag: string;
+    salt: string;
+    verifier: string;
+    organizationName: string;
+  } = req.body;
 
-		// get user
-		user = await User.findOne({ email });
+  // get user
+  user = await User.findOne({ email });
 
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
+  if (!user || (user && user?.publicKey)) {
+    // case 1: user doesn't exist.
+    // case 2: user has already completed account
+    return res.status(403).send({
+      error: 'Failed to complete account for complete user'
+    });
+  }
 
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		});
+  // complete setting up user's account
+  user = await completeAccount({
+    userId: user._id.toString(),
+    firstName,
+    lastName,
+    encryptionVersion: 2,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier
+  });
 
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+  if (!user)
+    throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
 
-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user
-		});
+  // initialize default organization and workspace
+  await initializeDefaultOrg({
+    organizationName,
+    user
+  });
 
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		const membershipsToUpdate = await MembershipOrg.find({
-			inviteEmail: email,
-			status: INVITED
-		});
-		
-		membershipsToUpdate.forEach(async (membership) => {
-			await updateSubscriptionOrgQuantity({
-				organizationId: membership.organization.toString()
-			});
-		});
+  // update organization membership statuses that are
+  // invited to completed with user attached
+  const membershipsToUpdate = await MembershipOrg.find({
+    inviteEmail: email,
+    status: INVITED
+  });
+  
+  membershipsToUpdate.forEach(async (membership) => {
+    await updateSubscriptionOrgQuantity({
+      organizationId: membership.organization.toString()
+    });
+  });
 
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
+  // update organization membership statuses that are
+  // invited to completed with user attached
+  await MembershipOrg.updateMany(
+    {
+      inviteEmail: email,
+      status: INVITED
+    },
+    {
+      user,
+      status: ACCEPTED
+    }
+  );
 
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
-		});
+  // issue tokens
+  const tokens = await issueAuthTokens({
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers['user-agent'] ?? ''
+  });
 
-		token = tokens.token;
+  token = tokens.token;
 
-		// sending a welcome email to new users
-		if (await getLoopsApiKey()) {
-			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + (await getLoopsApiKey())
-				},
-			});
-		}
+  // sending a welcome email to new users
+  if (await getLoopsApiKey()) {
+    await standardRequest.post("https://app.loops.so/api/v1/events/send", {
+      "email": email,
+      "eventName": "Sign Up",
+      "firstName": firstName,
+      "lastName": lastName
+    }, {
+      headers: {
+        "Accept": "application/json",
+        "Authorization": "Bearer " + (await getLoopsApiKey())
+      },
+    });
+  }
 
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: await getHttpsEnabled()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
+  // store (refresh) token in httpOnly cookie
+  res.cookie('jid', tokens.refreshToken, {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'strict',
+    secure: await getHttpsEnabled()
+  });
 
 	return res.status(200).send({
 		message: 'Successfully set up account',
@@ -167,109 +160,103 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
  */
 export const completeAccountInvite = async (req: Request, res: Response) => {
 	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		} = req.body;
+  const {
+    email,
+    firstName,
+    lastName,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier
+  } = req.body;
 
-		// get user
-		user = await User.findOne({ email });
+  // get user
+  user = await User.findOne({ email });
 
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
+  if (!user || (user && user?.publicKey)) {
+    // case 1: user doesn't exist.
+    // case 2: user has already completed account
+    return res.status(403).send({
+      error: 'Failed to complete account for complete user'
+    });
+  }
 
-		const membershipOrg = await MembershipOrg.findOne({
-			inviteEmail: email,
-			status: INVITED
-		});
+  const membershipOrg = await MembershipOrg.findOne({
+    inviteEmail: email,
+    status: INVITED
+  });
 
-		if (!membershipOrg) throw new Error('Failed to find invitations for email');
+  if (!membershipOrg) throw new Error('Failed to find invitations for email');
 
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			encryptionVersion: 2,
-			protectedKey,
-			protectedKeyIV,
-			protectedKeyTag,
-			publicKey,
-			encryptedPrivateKey,
-			encryptedPrivateKeyIV,
-			encryptedPrivateKeyTag,
-			salt,
-			verifier
-		});
+  // complete setting up user's account
+  user = await completeAccount({
+    userId: user._id.toString(),
+    firstName,
+    lastName,
+    encryptionVersion: 2,
+    protectedKey,
+    protectedKeyIV,
+    protectedKeyTag,
+    publicKey,
+    encryptedPrivateKey,
+    encryptedPrivateKeyIV,
+    encryptedPrivateKeyTag,
+    salt,
+    verifier
+  });
 
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user');
-		
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		const membershipsToUpdate = await MembershipOrg.find({
-			inviteEmail: email,
-			status: INVITED
-		});
-		
-		membershipsToUpdate.forEach(async (membership) => {
-			await updateSubscriptionOrgQuantity({
-				organizationId: membership.organization.toString()
-			});
-		});
+  if (!user)
+    throw new Error('Failed to complete account for non-existent user');
+  
+  // update organization membership statuses that are
+  // invited to completed with user attached
+  const membershipsToUpdate = await MembershipOrg.find({
+    inviteEmail: email,
+    status: INVITED
+  });
+  
+  membershipsToUpdate.forEach(async (membership) => {
+    await updateSubscriptionOrgQuantity({
+      organizationId: membership.organization.toString()
+    });
+  });
 
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
+  await MembershipOrg.updateMany(
+    {
+      inviteEmail: email,
+      status: INVITED
+    },
+    {
+      user,
+      status: ACCEPTED
+    }
+  );
 
-		// issue tokens
-		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
-		});
+  // issue tokens
+  const tokens = await issueAuthTokens({
+    userId: user._id,
+    ip: req.realIP,
+    userAgent: req.headers['user-agent'] ?? ''
+  });
 
-		token = tokens.token;
+  token = tokens.token;
 
-		// store (refresh) token in httpOnly cookie
-		res.cookie('jid', tokens.refreshToken, {
-			httpOnly: true,
-			path: '/',
-			sameSite: 'strict',
-			secure: await getHttpsEnabled()
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
+  // store (refresh) token in httpOnly cookie
+  res.cookie('jid', tokens.refreshToken, {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'strict',
+    secure: await getHttpsEnabled()
+  });
 
 	return res.status(200).send({
 		message: 'Successfully set up account',
 		user,
 		token
 	});
-};
+};

backend/src/controllers/v2/tagController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import {
 	Membership, Secret,
@@ -69,4 +68,4 @@ export const getWorkspaceTags = async (req: Request, res: Response) => {
 	return res.json({
 		workspaceTags
 	})
-}
+}

backend/src/controllers/v2/usersController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import {
     User,
     MembershipOrg
@@ -37,18 +36,9 @@ export const getMe = async (req: Request, res: Response) => {
         }
     }   
     */
-    let user;
-    try {
-        user = await User
-            .findById(req.user._id)
-            .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get current user'
-		});
-    }
+    const user = await User
+        .findById(req.user._id)
+        .select('+salt +publicKey +encryptedPrivateKey +iv +tag +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag');
     
     return res.status(200).send({
         user
@@ -64,29 +54,20 @@ export const getMe = async (req: Request, res: Response) => {
  * @returns 
  */
 export const updateMyMfaEnabled = async (req: Request, res: Response) => {
-    let user;
-    try {
-        const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
-        req.user.isMfaEnabled = isMfaEnabled;
-        
-        if (isMfaEnabled) { 
-            // TODO: adapt this route/controller 
-            // to work for different forms of MFA
-            req.user.mfaMethods = ['email'];
-        } else {
-            req.user.mfaMethods = [];
-        }
-
-        await req.user.save();
-        
-        user = req.user;
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to update current user's MFA status"
-		}); 
+    const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
+    req.user.isMfaEnabled = isMfaEnabled;
+    
+    if (isMfaEnabled) { 
+        // TODO: adapt this route/controller 
+        // to work for different forms of MFA
+        req.user.mfaMethods = ['email'];
+    } else {
+        req.user.mfaMethods = [];
     }
+
+    await req.user.save();
+    
+    const user = req.user;
     
     return res.status(200).send({
         user
@@ -126,22 +107,13 @@ export const getMyOrganizations = async (req: Request, res: Response) => {
         }
     }   
     */
-	let organizations;
-	try {
-		organizations = (
-			await MembershipOrg.find({
-				user: req.user._id
-			}).populate('organization')
-		).map((m) => m.organization);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: "Failed to get current user's organizations"
-		});
-	}
+  const organizations = (
+    await MembershipOrg.find({
+      user: req.user._id
+    }).populate('organization')
+  ).map((m) => m.organization);
 
 	return res.status(200).send({
 		organizations
 	});
-}
+}

backend/src/controllers/v2/workspaceController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import {
 	Workspace,
@@ -47,66 +46,57 @@ interface V2PushSecret {
  */
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		let { secrets }: { secrets: V2PushSecret[] } = req.body;
-		const { keys, environment, channel } = req.body;
-		const { workspaceId } = req.params;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  let { secrets }: { secrets: V2PushSecret[] } = req.body;
+  const { keys, environment, channel } = req.body;
+  const { workspaceId } = req.params;
 
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error('Failed to validate environment');
+  }
 
-		// sanitize secrets
-		secrets = secrets.filter(
-			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
-		);
+  // sanitize secrets
+  secrets = secrets.filter(
+    (s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
+  );
 
-		await push({
-			userId: req.user._id,
-			workspaceId,
-			environment,
-			secrets,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
+  await push({
+    userId: req.user._id,
+    workspaceId,
+    environment,
+    secrets,
+    channel: channel ? channel : 'cli',
+    ipAddress: req.realIP
+  });
 
-		await pushKeys({
-			userId: req.user._id,
-			workspaceId,
-			keys
-		});
+  await pushKeys({
+    userId: req.user._id,
+    workspaceId,
+    keys
+  });
 
-		if (postHogClient) {
-			postHogClient.capture({
-				event: 'secrets pushed',
-				distinctId: req.user.email,
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets pushed',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : 'cli'
+      }
+    });
+  }
 
-		// trigger event - push secrets
-		EventService.handleEvent({
-			event: eventPushSecrets({
-				workspaceId: new Types.ObjectId(workspaceId),
-				environment
-			})
-		});
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to upload workspace secrets'
-		});
-	}
+  // trigger event - push secrets
+  EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment
+    })
+  });
 
 	return res.status(200).send({
 		message: 'Successfully uploaded workspace secrets'
@@ -122,56 +112,48 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
  */
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
-	try {
-		const postHogClient = await TelemetryService.getPostHogClient();
-		const environment: string = req.query.environment as string;
-		const channel: string = req.query.channel as string;
-		const { workspaceId } = req.params;
+  const postHogClient = await TelemetryService.getPostHogClient();
+  const environment: string = req.query.environment as string;
+  const channel: string = req.query.channel as string;
+  const { workspaceId } = req.params;
 
-		let userId;
-		if (req.user) {
-			userId = req.user._id.toString();
-		} else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user.toString();
-		}
-		// validate environment
-		const workspaceEnvs = req.membership.workspace.environments;
-		if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
-			throw new Error('Failed to validate environment');
-		}
+  let userId;
+  if (req.user) {
+    userId = req.user._id.toString();
+  } else if (req.serviceTokenData) {
+    userId = req.serviceTokenData.user.toString();
+  }
+  // validate environment
+  const workspaceEnvs = req.membership.workspace.environments;
+  if (!workspaceEnvs.find(({ slug }: { slug: string }) => slug === environment)) {
+    throw new Error('Failed to validate environment');
+  }
 
-		secrets = await pull({
-			userId,
-			workspaceId,
-			environment,
-			channel: channel ? channel : 'cli',
-			ipAddress: req.ip
-		});
+  secrets = await pull({
+    userId,
+    workspaceId,
+    environment,
+    channel: channel ? channel : 'cli',
+    ipAddress: req.realIP
+  });
 
-		if (channel !== 'cli') {
-			secrets = reformatPullSecrets({ secrets });
-		}
+  if (channel !== 'cli') {
+    secrets = reformatPullSecrets({ secrets });
+  }
 
-		if (postHogClient) {
-			// capture secrets pushed event in production
-			postHogClient.capture({
-				distinctId: req.user.email,
-				event: 'secrets pulled',
-				properties: {
-					numberOfSecrets: secrets.length,
-					environment,
-					workspaceId,
-					channel: channel ? channel : 'cli'
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to pull workspace secrets'
-		});
-	}
+  if (postHogClient) {
+    // capture secrets pushed event in production
+    postHogClient.capture({
+      distinctId: req.user.email,
+      event: 'secrets pulled',
+      properties: {
+        numberOfSecrets: secrets.length,
+        environment,
+        workspaceId,
+        channel: channel ? channel : 'cli'
+      }
+    });
+  }
 
 	return res.status(200).send({
 		secrets
@@ -208,22 +190,14 @@ export const getWorkspaceKey = async (req: Request, res: Response) => {
     }   
     */
 	let key;
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-		key = await Key.findOne({
-			workspace: workspaceId,
-			receiver: req.user._id
-		}).populate('sender', '+publicKey');
+  key = await Key.findOne({
+    workspace: workspaceId,
+    receiver: req.user._id
+  }).populate('sender', '+publicKey');
 
-		if (!key) throw new Error('Failed to find workspace key');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace key'
-		});
-	}
+  if (!key) throw new Error('Failed to find workspace key');
 
 	return res.status(200).json(key);
 }
@@ -231,23 +205,13 @@ export const getWorkspaceServiceTokenData = async (
 	req: Request,
 	res: Response
 ) => {
-	let serviceTokenData;
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-		serviceTokenData = await ServiceTokenData
-			.find({
-				workspace: workspaceId
-			})
-			.select('+encryptedKey +iv +tag');
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace service token data'
-		});
-	}
+  const serviceTokenData = await ServiceTokenData
+    .find({
+      workspace: workspaceId
+    })
+    .select('+encryptedKey +iv +tag');
 
 	return res.status(200).send({
 		serviceTokenData
@@ -294,20 +258,11 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
         }
     }   
     */
-	let memberships;
-	try {
-		const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-		memberships = await Membership.find({
-			workspace: workspaceId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace memberships'
-		});
-	}
+  const memberships = await Membership.find({
+    workspace: workspaceId
+  }).populate('user', '+publicKey');
 
 	return res.status(200).send({
 		memberships
@@ -374,29 +329,20 @@ export const updateWorkspaceMembership = async (req: Request, res: Response) =>
         }
     }   
     */
-	let membership;
-	try {
-		const {
-			membershipId
-		} = req.params;
-		const { role } = req.body;
-		
-		membership = await Membership.findByIdAndUpdate(
-			membershipId,
-			{
-				role
-			}, {
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to update workspace membership'
-		});
-	}
-	
+  const {
+    membershipId
+  } = req.params;
+  const { role } = req.body;
+  
+  const membership = await Membership.findByIdAndUpdate(
+    membershipId,
+    {
+      role
+    }, {
+      new: true
+    }
+  );
+
 	return res.status(200).send({
 		membership
 	}); 
@@ -445,27 +391,18 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
         }
     }   
     */
-	let membership;
-	try {
-		const { 
-			membershipId
-		} = req.params;
-		
-		membership = await Membership.findByIdAndDelete(membershipId);
-		
-		if (!membership) throw new Error('Failed to delete workspace membership');
-		
-		await Key.deleteMany({
-			receiver: membership.user,
-			workspace: membership.workspace
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete workspace membership'
-		});	
-	}
+  const { 
+    membershipId
+  } = req.params;
+  
+  const membership = await Membership.findByIdAndDelete(membershipId);
+  
+  if (!membership) throw new Error('Failed to delete workspace membership');
+  
+  await Key.deleteMany({
+    receiver: membership.user,
+    workspace: membership.workspace
+  });
 	
 	return res.status(200).send({
 		membership
@@ -479,32 +416,23 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
  * @returns
  */
 export const toggleAutoCapitalization = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
-		const { autoCapitalization } = req.body;
+  const { workspaceId } = req.params;
+  const { autoCapitalization } = req.body;
 
-		workspace = await Workspace.findOneAndUpdate(
-			{
-				_id: workspaceId
-			},
-			{
-				autoCapitalization
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change autoCapitalization setting'
-		});
-	}
+  const workspace = await Workspace.findOneAndUpdate(
+    {
+      _id: workspaceId
+    },
+    {
+      autoCapitalization
+    },
+    {
+      new: true
+    }
+  );
 
 	return res.status(200).send({
 		message: 'Successfully changed autoCapitalization setting',
 		workspace
 	});
-};
+};

backend/src/controllers/v3/authController.ts

@@ -113,7 +113,7 @@ export const login2 = async (req: Request, res: Response) => {
 
         const user = await User.findOne({
             email,
-        }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+        }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag +devices');
 
         if (!user) throw new Error('Failed to find user');
 
@@ -179,12 +179,16 @@ export const login2 = async (req: Request, res: Response) => {
 
                     await checkUserDevice({
                         user,
-                        ip: req.ip,
+                        ip: req.realIP,
                         userAgent: req.headers['user-agent'] ?? ''
                     });
 
                     // issue tokens
-                    const tokens = await issueAuthTokens({ userId: user._id.toString() });
+                    const tokens = await issueAuthTokens({ 
+                        userId: user._id,
+                        ip: req.realIP,
+                        userAgent: req.headers['user-agent'] ?? ''
+                    });
 
                     // store (refresh) token in httpOnly cookie
                     res.cookie('jid', tokens.refreshToken, {
@@ -239,7 +243,7 @@ export const login2 = async (req: Request, res: Response) => {
                         userId: user._id,
                         actions: [loginAction],
                         channel: getChannelFromUserAgent(req.headers['user-agent']),
-                        ipAddress: req.ip
+                        ipAddress: req.realIP
                     });
 
                     return res.status(200).send(response);

backend/src/controllers/v3/secretsController.ts

@@ -1,183 +1,420 @@
-import { Request, Response } from 'express';
-import { Types } from 'mongoose';
-import { 
-    SecretService, 
-    TelemetryService,
-    EventService
-} from '../../services';
-import { eventPushSecrets } from '../../events';
-import { getAuthDataPayloadIdObj } from '../../utils/auth';
-import { BadRequestError } from '../../utils/errors';
+import { Request, Response } from "express";
+import { Types } from "mongoose";
+import { SecretService, EventService } from "../../services";
+import { eventPushSecrets } from "../../events";
+import { BotService } from "../../services";
+import { repackageSecretToRaw } from "../../helpers/secrets";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
 
 /**
- * Get secrets for workspace with id [workspaceId] and environment
- * [environment]
- * @param req 
- * @param res 
+ * Return secrets for workspace with id [workspaceId] and environment
+ * [environment] in plaintext
+ * @param req
+ * @param res
  */
-export const getSecrets = async (req: Request, res: Response) => {
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
+export const getSecretsRaw = async (req: Request, res: Response) => {
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
 
-    const secrets = await SecretService.getSecrets({
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        authData: req.authData
-    });
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData,
+  });
 
-    return res.status(200).send({
-        secrets
-    });
-}
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secrets: secrets.map((secret) => {
+      const rep = repackageSecretToRaw({
+        secret,
+        key
+      });
+  
+      return rep;
+    })
+  });
+};
 
 /**
- * Get secret with name [secretName]
- * @param req 
- * @param res 
+ * Return secret with name [secretName] in plaintext
+ * @param req
+ * @param res
  */
-export const getSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const workspaceId = req.query.workspaceId as string;
-    const environment = req.query.environment as string;
-    const type = req.query.type as 'shared' | 'personal' | undefined;
+export const getSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
 
-    const secret = await SecretService.getSecret({
-        secretName,
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        type,
-        authData: req.authData
-    });
-    
-    return res.status(200).send({
-        secret
-    });
-}
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData,
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
 
 /**
- * Create secret with name [secretName]
- * @param req 
+ * Create secret with name [secretName] in plaintext
+ * @param req
  * @param res 
  */
-export const createSecret = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const { 
-        workspaceId,
-        environment,
-        type,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag
-    } = req.body;
-    
-    const secret = await SecretService.createSecret({
-        secretName,
-        workspaceId: new Types.ObjectId(workspaceId),
-        environment,
-        type,
-        authData: req.authData,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag
-        } : {})
-    });
+export const createSecretRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValue,
+    secretComment,
+    secretPath = "/"
+  } = req.body;
+  
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
 
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const secretKeyEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretName,
+    key
+  });
 
-    const secretWithoutBlindIndex = secret.toObject();
-    delete secretWithoutBlindIndex.secretBlindIndex;
-    
-    return res.status(200).send({
-        secret: secretWithoutBlindIndex
-    });
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key
+  });
+  
+  const secretCommentEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretComment,
+    key
+  }); 
+  
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext: secretKeyEncrypted.ciphertext,
+    secretKeyIV: secretKeyEncrypted.iv,
+    secretKeyTag: secretKeyEncrypted.tag,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath,
+    secretCommentCiphertext: secretCommentEncrypted.ciphertext,
+    secretCommentIV: secretCommentEncrypted.iv,
+    secretCommentTag: secretCommentEncrypted.tag
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+  
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret: secretWithoutBlindIndex,
+      key
+    })
+  });
 }
 
 /**
  * Update secret with name [secretName]
  * @param req
- * @param res 
+ * @param res
  */
-export const updateSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const {
-        workspaceId,
-        environment,
-        type,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag
-    } = req.body;
+export const updateSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValue,
+    secretPath = "/",
+  } = req.body;
 
-    const secret = await SecretService.updateSecret({
-        secretName,
-        workspaceId,
-        environment,
-        type,
-        authData: req.authData,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag
-    });
-    
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
 
-    return res.status(200).send({
-        secret
-    });
-}
+  const secretValueEncrypted = encryptSymmetric128BitHexKeyUTF8({
+    plaintext: secretValue,
+    key
+  });
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext: secretValueEncrypted.ciphertext,
+    secretValueIV: secretValueEncrypted.iv,
+    secretValueTag: secretValueEncrypted.tag,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
 
 /**
  * Delete secret with name [secretName]
- * @param req 
- * @param res 
+ * @param req
+ * @param res
+ */
+export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const { 
+    workspaceId, 
+    environment, 
+    type, 
+    secretPath = "/" 
+  } = req.body;
+
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const key = await BotService.getWorkspaceKeyWithBot({
+    workspaceId: new Types.ObjectId(workspaceId)
+  });
+
+  return res.status(200).send({
+    secret: repackageSecretToRaw({
+      secret,
+      key
+    })
+  });
+};
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req
+ * @param res
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+
+  const secrets = await SecretService.getSecrets({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    secretPath,
+    authData: req.authData,
+  });
+
+  return res.status(200).send({
+    secrets,
+  });
+};
+
+/**
+ * Return secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const workspaceId = req.query.workspaceId as string;
+  const environment = req.query.environment as string;
+  const secretPath = req.query.secretPath as string;
+  const type = req.query.type as "shared" | "personal" | undefined;
+
+  const secret = await SecretService.getSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    secretPath,
+    authData: req.authData,
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};
+
+/**
+ * Create secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const createSecret = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag,
+    secretPath = "/",
+  } = req.body;
+
+  const secret = await SecretService.createSecret({
+    secretName,
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    type,
+    authData: req.authData,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  const secretWithoutBlindIndex = secret.toObject();
+  delete secretWithoutBlindIndex.secretBlindIndex;
+
+  return res.status(200).send({
+    secret: secretWithoutBlindIndex,
+  });
+};
+
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res
+ */
+export const updateSecretByName = async (req: Request, res: Response) => {
+  const { secretName } = req.params;
+  const {
+    workspaceId,
+    environment,
+    type,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath = "/",
+  } = req.body;
+
+  const secret = await SecretService.updateSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretPath,
+  });
+
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};
+
+/**
+ * Delete secret with name [secretName]
+ * @param req
+ * @param res
  */
 export const deleteSecretByName = async (req: Request, res: Response) => {
-    const { secretName } = req.params;
-    const {
-        workspaceId,
-        environment,
-        type
-    } = req.body;
-    
-    const { secret, secrets } = await SecretService.deleteSecret({
-        secretName,
-        workspaceId,
-        environment,
-        type,
-        authData: req.authData
-    });
+  const { secretName } = req.params;
+  const { 
+    workspaceId, 
+    environment, 
+    type, 
+    secretPath = "/" 
+  } = req.body;
 
-    await EventService.handleEvent({
-        event: eventPushSecrets({
-            workspaceId: new Types.ObjectId(workspaceId),
-            environment
-        })
-    });
+  const { secret } = await SecretService.deleteSecret({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData: req.authData,
+    secretPath,
+  });
 
-    return res.status(200).send({
-        secret
-    });
-}
+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+    }),
+  });
+
+  return res.status(200).send({
+    secret,
+  });
+};

backend/src/controllers/v3/signupController.ts

@@ -137,7 +137,9 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 
 		// issue tokens
 		const tokens = await issueAuthTokens({
-			userId: user._id.toString()
+			userId: user._id,
+			ip: req.realIP,
+			userAgent: req.headers['user-agent'] ?? ''
 		});
 
 		token = tokens.token;

backend/src/ee/controllers/v1/actionController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
 import { Action, SecretVersion } from '../../models';
 import { ActionNotFoundError } from '../../../utils/errors';
 
@@ -28,4 +27,4 @@ export const getAction = async (req: Request, res: Response) => {
     return res.status(200).send({
         action
     });
-}
+}

backend/src/ee/controllers/v1/cloudProductsController.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
 import { EELicenseService } from '../../services';
 import { getLicenseServerUrl } from '../../../config';
@@ -12,23 +11,18 @@ import { licenseServerKeyRequest } from '../../../config/request';
  * @returns 
  */
 export const getCloudProducts = async (req: Request, res: Response) => {
-    try {
-        const billingCycle = req.query['billing-cycle'] as string;
+    const billingCycle = req.query['billing-cycle'] as string;
 
-        if (EELicenseService.instanceType === 'cloud') {
-            const { data } = await licenseServerKeyRequest.get(
-                `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
-            ); 
+    if (EELicenseService.instanceType === 'cloud') {
+        const { data } = await licenseServerKeyRequest.get(
+            `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+        ); 
 
-            return res.status(200).send(data);
-        }
-    } catch (err) {
-        Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);
+        return res.status(200).send(data);
     }
     
     return res.status(200).send({
         head: [],
         rows: []
     });
-}
+}

backend/src/ee/controllers/v1/organizationsController.ts

@@ -8,8 +8,9 @@ import { EELicenseService } from '../../services';
  */
 export const getOrganizationPlan = async (req: Request, res: Response) => {
     const { organizationId } = req.params;
+    const workspaceId = req.query.workspaceId as string;
 
-    const plan = await EELicenseService.getOrganizationPlan(organizationId);
+    const plan = await EELicenseService.getPlan(organizationId, workspaceId);
 
     return res.status(200).send({
         plan,

backend/src/ee/controllers/v1/secretController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import { Secret } from "../../../models";
 import { SecretVersion } from "../../models";
 import { EESecretService } from "../../services";
@@ -55,29 +54,20 @@ export const getSecretVersions = async (req: Request, res: Response) => {
         }
     }   
     */
-  let secretVersions;
-  try {
-    const { secretId, workspaceId, environment, folderId } = req.params;
+  const { secretId, workspaceId, environment, folderId } = req.params;
 
-    const offset: number = parseInt(req.query.offset as string);
-    const limit: number = parseInt(req.query.limit as string);
+  const offset: number = parseInt(req.query.offset as string);
+  const limit: number = parseInt(req.query.limit as string);
 
-    secretVersions = await SecretVersion.find({
-      secret: secretId,
-      workspace: workspaceId,
-      environment,
-      folder: folderId,
-    })
-      .sort({ createdAt: -1 })
-      .skip(offset)
-      .limit(limit);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get secret versions",
-    });
-  }
+  const secretVersions = await SecretVersion.find({
+    secret: secretId,
+    workspace: workspaceId,
+    environment,
+    folder: folderId,
+  })
+    .sort({ createdAt: -1 })
+    .skip(offset)
+    .limit(limit);
 
   return res.status(200).send({
     secretVersions,
@@ -139,74 +129,45 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
         }
     }   
     */
-  let secret;
-  try {
-    const { secretId } = req.params;
-    const { version } = req.body;
+  const { secretId } = req.params;
+  const { version } = req.body;
 
-    // validate secret version
-    const oldSecretVersion = await SecretVersion.findOne({
-      secret: secretId,
-      version,
-    }).select("+secretBlindIndex");
+  // validate secret version
+  const oldSecretVersion = await SecretVersion.findOne({
+    secret: secretId,
+    version,
+  }).select("+secretBlindIndex");
 
-    if (!oldSecretVersion) throw new Error("Failed to find secret version");
+  if (!oldSecretVersion) throw new Error("Failed to find secret version");
 
-    const {
-      workspace,
-      type,
-      user,
-      environment,
-      secretBlindIndex,
-      secretKeyCiphertext,
-      secretKeyIV,
-      secretKeyTag,
-      secretValueCiphertext,
-      secretValueIV,
-      secretValueTag,
-      folder,
-      algorithm,
-      keyEncoding,
-    } = oldSecretVersion;
+  const {
+    workspace,
+    type,
+    user,
+    environment,
+    secretBlindIndex,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    algorithm,
+    folder,
+    keyEncoding,
+  } = oldSecretVersion;
 
-    // update secret
-    secret = await Secret.findByIdAndUpdate(
-      secretId,
-      {
-        $inc: {
-          version: 1,
-        },
-        workspace,
-        type,
-        user,
-        environment,
-        ...(secretBlindIndex ? { secretBlindIndex } : {}),
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        folderId: folder,
-        algorithm,
-        keyEncoding,
+  // update secret
+  const secret = await Secret.findByIdAndUpdate(
+    secretId,
+    {
+      $inc: {
+        version: 1,
       },
-      {
-        new: true,
-      }
-    );
-
-    if (!secret) throw new Error("Failed to find and update secret");
-
-    // add new secret version
-    await new SecretVersion({
-      secret: secretId,
-      version: secret.version,
       workspace,
       type,
       user,
       environment,
-      isDeleted: false,
       ...(secretBlindIndex ? { secretBlindIndex } : {}),
       secretKeyCiphertext,
       secretKeyIV,
@@ -214,24 +175,44 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
       secretValueCiphertext,
       secretValueIV,
       secretValueTag,
-      folder,
+      folderId: folder,
       algorithm,
       keyEncoding,
-    }).save();
+    },
+    {
+      new: true,
+    }
+  );
 
-    // take secret snapshot
-    await EESecretService.takeSecretSnapshot({
-      workspaceId: secret.workspace,
-      environment,
-      folderId: folder,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to roll back secret version",
-    });
-  }
+  if (!secret) throw new Error("Failed to find and update secret");
+
+  // add new secret version
+  await new SecretVersion({
+    secret: secretId,
+    version: secret.version,
+    workspace,
+    type,
+    user,
+    environment,
+    isDeleted: false,
+    ...(secretBlindIndex ? { secretBlindIndex } : {}),
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    folder,
+    algorithm,
+    keyEncoding,
+  }).save();
+
+  // take secret snapshot
+  await EESecretService.takeSecretSnapshot({
+    workspaceId: secret.workspace,
+    environment,
+    folderId: folder,
+  });
 
   return res.status(200).send({
     secret,

backend/src/ee/controllers/v1/secretSnapshotController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import {
   ISecretVersion,
   SecretSnapshot,
@@ -13,29 +12,21 @@ import {
  * @returns
  */
 export const getSecretSnapshot = async (req: Request, res: Response) => {
-  let secretSnapshot;
-  try {
-    const { secretSnapshotId } = req.params;
+  const { secretSnapshotId } = req.params;
 
-    secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
-      .lean()
-      .populate<{ secretVersions: ISecretVersion[] }>({
-        path: 'secretVersions',
-        populate: {
-          path: 'tags',
-          model: 'Tag'
-        }
-      })
-      .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
-
-    if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get secret snapshot",
-    });
-  }
+  const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId)
+    .lean()
+    .populate<{ secretVersions: ISecretVersion[] }>({
+      path: 'secretVersions',
+      populate: {
+        path: 'tags',
+        model: 'Tag'
+      }
+    })
+    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
+  
+  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+  
   const folderId = secretSnapshot.folderId;
   // to show only the folder required secrets
   secretSnapshot.secretVersions = secretSnapshot.secretVersions.filter(

backend/src/ee/controllers/v1/stripeController.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response } from 'express';
 import Stripe from 'stripe';
 import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
@@ -10,26 +9,17 @@ import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
  * @returns
  */
 export const handleWebhook = async (req: Request, res: Response) => {
-	let event;
-	try {
-		const stripe = new Stripe(await getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
+  const stripe = new Stripe(await getStripeSecretKey(), {
+    apiVersion: '2022-08-01'
+  });
 
-		// check request for valid stripe signature
-		const sig = req.headers['stripe-signature'] as string;
-		event = stripe.webhooks.constructEvent(
-			req.body,
-			sig,
-			await getStripeWebhookSecret()
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			error: 'Failed to process webhook'
-		});
-	}
+  // check request for valid stripe signature
+  const sig = req.headers['stripe-signature'] as string;
+  const event = stripe.webhooks.constructEvent(
+    req.body,
+    sig,
+    await getStripeWebhookSecret()
+  );
 
 	switch (event.type) {
 		case '':

backend/src/ee/controllers/v1/workspaceController.ts

@@ -1,5 +1,4 @@
 import { Request, Response } from "express";
-import * as Sentry from "@sentry/node";
 import { PipelineStage, Types } from "mongoose";
 import { Secret } from "../../../models";
 import {
@@ -69,29 +68,20 @@ export const getWorkspaceSecretSnapshots = async (
         }
     }
     */
-  let secretSnapshots;
-  try {
-    const { workspaceId } = req.params;
-    const { environment, folderId } = req.query;
+  const { workspaceId } = req.params;
+  const { environment, folderId } = req.query;
 
-    const offset: number = parseInt(req.query.offset as string);
-    const limit: number = parseInt(req.query.limit as string);
+  const offset: number = parseInt(req.query.offset as string);
+  const limit: number = parseInt(req.query.limit as string);
 
-    secretSnapshots = await SecretSnapshot.find({
-      workspace: workspaceId,
-      environment,
-      folderId: folderId || "root",
-    })
-      .sort({ createdAt: -1 })
-      .skip(offset)
-      .limit(limit);
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get secret snapshots",
-    });
-  }
+  const secretSnapshots = await SecretSnapshot.find({
+    workspace: workspaceId,
+    environment,
+    folderId: folderId || "root",
+  })
+    .sort({ createdAt: -1 })
+    .skip(offset)
+    .limit(limit);
 
   return res.status(200).send({
     secretSnapshots,
@@ -107,23 +97,14 @@ export const getWorkspaceSecretSnapshotsCount = async (
   req: Request,
   res: Response
 ) => {
-  let count;
-  try {
-    const { workspaceId } = req.params;
-    const { environment, folderId } = req.query;
+  const { workspaceId } = req.params;
+  const { environment, folderId } = req.query;
 
-    count = await SecretSnapshot.countDocuments({
-      workspace: workspaceId,
-      environment,
-      folderId: folderId || "root",
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to count number of secret snapshots",
-    });
-  }
+  const count = await SecretSnapshot.countDocuments({
+    workspace: workspaceId,
+    environment,
+    folderId: folderId || "root",
+  });
 
   return res.status(200).send({
     count,
@@ -191,324 +172,315 @@ export const rollbackWorkspaceSecretSnapshot = async (
     }   
     */
 
-  let secrets;
-  try {
-    const { workspaceId } = req.params;
-    const { version, environment, folderId = "root" } = req.body;
+  const { workspaceId } = req.params;
+  const { version, environment, folderId = "root" } = req.body;
 
-    // validate secret snapshot
-    const secretSnapshot = await SecretSnapshot.findOne({
-      workspace: workspaceId,
-      version,
-      environment,
-      folderId: folderId,
+  // validate secret snapshot
+  const secretSnapshot = await SecretSnapshot.findOne({
+    workspace: workspaceId,
+    version,
+    environment,
+    folderId: folderId,
+  })
+    .populate<{ secretVersions: ISecretVersion[] }>({
+      path: "secretVersions",
+      select: "+secretBlindIndex",
     })
-      .populate<{ secretVersions: ISecretVersion[] }>({
-        path: "secretVersions",
-        select: "+secretBlindIndex",
-      })
-      .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
+    .populate<{ folderVersion: TFolderRootVersionSchema }>("folderVersion");
 
-    if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
+  if (!secretSnapshot) throw new Error("Failed to find secret snapshot");
 
-    const snapshotFolderTree = secretSnapshot.folderVersion;
-    const latestFolderTree = await Folder.findOne({
-      workspace: workspaceId,
-      environment,
-    });
+  const snapshotFolderTree = secretSnapshot.folderVersion;
+  const latestFolderTree = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  });
 
-    const latestFolderVersion = await FolderVersion.findOne({
-      environment,
-      workspace: workspaceId,
-      "nodes.id": folderId,
-    }).sort({ "nodes.version": -1 });
+  const latestFolderVersion = await FolderVersion.findOne({
+    environment,
+    workspace: workspaceId,
+    "nodes.id": folderId,
+  }).sort({ "nodes.version": -1 });
 
-    const oldSecretVersionsObj: Record<string, ISecretVersion> = {};
-    const secretIds: Types.ObjectId[] = [];
-    const folderIds: string[] = [folderId];
+  const oldSecretVersionsObj: Record<string, ISecretVersion> = {};
+  const secretIds: Types.ObjectId[] = [];
+  const folderIds: string[] = [folderId];
 
-    secretSnapshot.secretVersions.forEach((snapSecVer) => {
-      oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
-      secretIds.push(snapSecVer.secret);
-    });
+  secretSnapshot.secretVersions.forEach((snapSecVer) => {
+    oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+    secretIds.push(snapSecVer.secret);
+  });
 
-    // the parent node from current latest one
-    // this will be modified according to the snapshot and latest snapshots
-    const newFolderTree =
-      latestFolderTree && searchByFolderId(latestFolderTree.nodes, folderId);
+  // the parent node from current latest one
+  // this will be modified according to the snapshot and latest snapshots
+  const newFolderTree =
+    latestFolderTree && searchByFolderId(latestFolderTree.nodes, folderId);
 
-    if (newFolderTree) {
-      newFolderTree.children = snapshotFolderTree?.nodes?.children || [];
-      const queue = [newFolderTree];
-      // a bfs algorithm in which we take the latest snapshots of all the folders in a level
+  if (newFolderTree) {
+    newFolderTree.children = snapshotFolderTree?.nodes?.children || [];
+    const queue = [newFolderTree];
+    // a bfs algorithm in which we take the latest snapshots of all the folders in a level
+    while (queue.length) {
+      const groupByFolderId: Record<string, TFolderSchema> = {};
+      // the original queue is popped out completely to get what ever in a level
+      // subqueue is filled with all the children thus next level folders
+      // subQueue will then be transfered to the oriinal queue
+      const subQueue: TFolderSchema[] = [];
+      // get everything inside a level
       while (queue.length) {
-        const groupByFolderId: Record<string, TFolderSchema> = {};
-        // the original queue is popped out completely to get what ever in a level
-        // subqueue is filled with all the children thus next level folders
-        // subQueue will then be transfered to the oriinal queue
-        const subQueue: TFolderSchema[] = [];
-        // get everything inside a level
-        while (queue.length) {
-          const folder = queue.pop() as TFolderSchema;
-          folder.children.forEach((el) => {
-            folderIds.push(el.id); // push ids and data into queu
-            subQueue.push(el);
-            // to modify the original tree very fast we keep a reference object
-            // key with folder id and pointing to the various nodes
-            groupByFolderId[el.id] = el;
-          });
-        }
-        // get latest snapshots of all the folder
-        const matchWsFoldersPipeline = {
-          $match: {
-            workspace: new Types.ObjectId(workspaceId),
-            environment,
-            folderId: {
-              $in: Object.keys(groupByFolderId),
-            },
-          },
-        };
-        const sortByFolderIdAndVersion: PipelineStage = {
-          $sort: { folderId: 1, version: -1 },
-        };
-        const pickLatestVersionOfEachFolder = {
-          $group: {
-            _id: "$folderId",
-            latestVersion: { $first: "$version" },
-            doc: {
-              $first: "$$ROOT",
-            },
-          },
-        };
-        const populateSecVersion = {
-          $lookup: {
-            from: SecretVersion.collection.name,
-            localField: "doc.secretVersions",
-            foreignField: "_id",
-            as: "doc.secretVersions",
-          },
-        };
-        const populateFolderVersion = {
-          $lookup: {
-            from: FolderVersion.collection.name,
-            localField: "doc.folderVersion",
-            foreignField: "_id",
-            as: "doc.folderVersion",
-          },
-        };
-        const unwindFolderVerField = {
-          $unwind: {
-            path: "$doc.folderVersion",
-            preserveNullAndEmptyArrays: true,
-          },
-        };
-        const latestSnapshotsByFolders: Array<{ doc: typeof secretSnapshot }> =
-          await SecretSnapshot.aggregate([
-            matchWsFoldersPipeline,
-            sortByFolderIdAndVersion,
-            pickLatestVersionOfEachFolder,
-            populateSecVersion,
-            populateFolderVersion,
-            unwindFolderVerField,
-          ]);
-
-        // recursive snapshotting each level
-        latestSnapshotsByFolders.forEach((snap) => {
-          // mutate the folder tree to update the nodes to the latest version tree
-          // we are reconstructing the folder tree by latest snapshots here
-          if (groupByFolderId[snap.doc.folderId]) {
-            groupByFolderId[snap.doc.folderId].children =
-              snap.doc?.folderVersion?.nodes?.children || [];
-          }
-
-          // push all children of next level snapshots
-          if (snap.doc.folderVersion?.nodes?.children) {
-            queue.push(...snap.doc.folderVersion.nodes.children);
-          }
-
-          snap.doc.secretVersions.forEach((snapSecVer) => {
-            // record all the secrets
-            oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
-            secretIds.push(snapSecVer.secret);
-          });
+        const folder = queue.pop() as TFolderSchema;
+        folder.children.forEach((el) => {
+          folderIds.push(el.id); // push ids and data into queu
+          subQueue.push(el);
+          // to modify the original tree very fast we keep a reference object
+          // key with folder id and pointing to the various nodes
+          groupByFolderId[el.id] = el;
         });
-
-        queue.push(...subQueue);
       }
-    }
-
-    // TODO: fix any
-    const latestSecretVersionIds = await getLatestSecretVersionIds({
-      secretIds,
-    });
-
-    // TODO: fix any
-    const latestSecretVersions: any = (
-      await SecretVersion.find(
-        {
-          _id: {
-            $in: latestSecretVersionIds.map((s) => s.versionId),
+      // get latest snapshots of all the folder
+      const matchWsFoldersPipeline = {
+        $match: {
+          workspace: new Types.ObjectId(workspaceId),
+          environment,
+          folderId: {
+            $in: Object.keys(groupByFolderId),
           },
         },
-        "secret version"
-      )
-    ).reduce(
-      (accumulator, s) => ({
-        ...accumulator,
-        [`${s.secret.toString()}`]: s,
-      }),
-      {}
-    );
+      };
+      const sortByFolderIdAndVersion: PipelineStage = {
+        $sort: { folderId: 1, version: -1 },
+      };
+      const pickLatestVersionOfEachFolder = {
+        $group: {
+          _id: "$folderId",
+          latestVersion: { $first: "$version" },
+          doc: {
+            $first: "$$ROOT",
+          },
+        },
+      };
+      const populateSecVersion = {
+        $lookup: {
+          from: SecretVersion.collection.name,
+          localField: "doc.secretVersions",
+          foreignField: "_id",
+          as: "doc.secretVersions",
+        },
+      };
+      const populateFolderVersion = {
+        $lookup: {
+          from: FolderVersion.collection.name,
+          localField: "doc.folderVersion",
+          foreignField: "_id",
+          as: "doc.folderVersion",
+        },
+      };
+      const unwindFolderVerField = {
+        $unwind: {
+          path: "$doc.folderVersion",
+          preserveNullAndEmptyArrays: true,
+        },
+      };
+      const latestSnapshotsByFolders: Array<{ doc: typeof secretSnapshot }> =
+        await SecretSnapshot.aggregate([
+          matchWsFoldersPipeline,
+          sortByFolderIdAndVersion,
+          pickLatestVersionOfEachFolder,
+          populateSecVersion,
+          populateFolderVersion,
+          unwindFolderVerField,
+        ]);
 
-    const secDelQuery: Record<string, unknown> = {
-      workspace: workspaceId,
-      environment,
-      // undefined means root thus collect all secrets
-    };
-    if (folderId !== "root" && folderIds.length)
-      secDelQuery.folder = { $in: folderIds };
+      // recursive snapshotting each level
+      latestSnapshotsByFolders.forEach((snap) => {
+        // mutate the folder tree to update the nodes to the latest version tree
+        // we are reconstructing the folder tree by latest snapshots here
+        if (groupByFolderId[snap.doc.folderId]) {
+          groupByFolderId[snap.doc.folderId].children =
+            snap.doc?.folderVersion?.nodes?.children || [];
+        }
 
-    // delete existing secrets
-    await Secret.deleteMany(secDelQuery);
-    await Folder.deleteOne({
-      workspace: workspaceId,
-      environment,
-    });
+        // push all children of next level snapshots
+        if (snap.doc.folderVersion?.nodes?.children) {
+          queue.push(...snap.doc.folderVersion.nodes.children);
+        }
 
-    // add secrets
-    secrets = await Secret.insertMany(
-      Object.keys(oldSecretVersionsObj).map((sv) => {
-        const {
-          secret: secretId,
-          workspace,
-          type,
-          user,
-          environment,
-          secretBlindIndex,
-          secretKeyCiphertext,
-          secretKeyIV,
-          secretKeyTag,
-          secretValueCiphertext,
-          secretValueIV,
-          secretValueTag,
-          createdAt,
-          algorithm,
-          keyEncoding,
-          folder: secFolderId,
-        } = oldSecretVersionsObj[sv];
-
-        return {
-          _id: secretId,
-          version: latestSecretVersions[secretId.toString()].version + 1,
-          workspace,
-          type,
-          user,
-          environment,
-          secretBlindIndex: secretBlindIndex ?? undefined,
-          secretKeyCiphertext,
-          secretKeyIV,
-          secretKeyTag,
-          secretValueCiphertext,
-          secretValueIV,
-          secretValueTag,
-          secretCommentCiphertext: "",
-          secretCommentIV: "",
-          secretCommentTag: "",
-          createdAt,
-          algorithm,
-          keyEncoding,
-          folder: secFolderId,
-        };
-      })
-    );
-
-    // add secret versions
-    const secretV = await SecretVersion.insertMany(
-      secrets.map(
-        ({
-          _id,
-          version,
-          workspace,
-          type,
-          user,
-          environment,
-          secretBlindIndex,
-          secretKeyCiphertext,
-          secretKeyIV,
-          secretKeyTag,
-          secretValueCiphertext,
-          secretValueIV,
-          secretValueTag,
-          algorithm,
-          keyEncoding,
-          folder: secFolderId,
-        }) => ({
-          _id: new Types.ObjectId(),
-          secret: _id,
-          version,
-          workspace,
-          type,
-          user,
-          environment,
-          isDeleted: false,
-          secretBlindIndex: secretBlindIndex ?? undefined,
-          secretKeyCiphertext,
-          secretKeyIV,
-          secretKeyTag,
-          secretValueCiphertext,
-          secretValueIV,
-          secretValueTag,
-          algorithm,
-          keyEncoding,
-          folder: secFolderId,
-        })
-      )
-    );
-
-    if (newFolderTree && latestFolderTree) {
-      // save the updated folder tree to the present one
-      newFolderTree.version = (latestFolderVersion?.nodes?.version || 0) + 1;
-      latestFolderTree._id = new Types.ObjectId();
-      latestFolderTree.isNew = true;
-      await latestFolderTree.save();
-
-      // create new folder version
-      const newFolderVersion = new FolderVersion({
-        workspace: workspaceId,
-        environment,
-        nodes: newFolderTree,
+        snap.doc.secretVersions.forEach((snapSecVer) => {
+          // record all the secrets
+          oldSecretVersionsObj[snapSecVer.secret.toString()] = snapSecVer;
+          secretIds.push(snapSecVer.secret);
+        });
       });
-      await newFolderVersion.save();
-    }
 
-    // update secret versions of restored secrets as not deleted
-    await SecretVersion.updateMany(
+      queue.push(...subQueue);
+    }
+  }
+
+  // TODO: fix any
+  const latestSecretVersionIds = await getLatestSecretVersionIds({
+    secretIds,
+  });
+
+  // TODO: fix any
+  const latestSecretVersions: any = (
+    await SecretVersion.find(
       {
-        secret: {
-          $in: Object.keys(oldSecretVersionsObj).map(
-            (sv) => oldSecretVersionsObj[sv].secret
-          ),
+        _id: {
+          $in: latestSecretVersionIds.map((s) => s.versionId),
         },
       },
-      {
-        isDeleted: false,
-      }
-    );
+      "secret version"
+    )
+  ).reduce(
+    (accumulator, s) => ({
+      ...accumulator,
+      [`${s.secret.toString()}`]: s,
+    }),
+    {}
+  );
 
-    // take secret snapshot
-    await EESecretService.takeSecretSnapshot({
-      workspaceId: new Types.ObjectId(workspaceId),
+  const secDelQuery: Record<string, unknown> = {
+    workspace: workspaceId,
+    environment,
+    // undefined means root thus collect all secrets
+  };
+  if (folderId !== "root" && folderIds.length)
+    secDelQuery.folder = { $in: folderIds };
+
+  // delete existing secrets
+  await Secret.deleteMany(secDelQuery);
+  await Folder.deleteOne({
+    workspace: workspaceId,
+    environment,
+  });
+
+  // add secrets
+  const secrets = await Secret.insertMany(
+    Object.keys(oldSecretVersionsObj).map((sv) => {
+      const {
+        secret: secretId,
+        workspace,
+        type,
+        user,
+        environment,
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        createdAt,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      } = oldSecretVersionsObj[sv];
+
+      return {
+        _id: secretId,
+        version: latestSecretVersions[secretId.toString()].version + 1,
+        workspace,
+        type,
+        user,
+        environment,
+        secretBlindIndex: secretBlindIndex ?? undefined,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext: "",
+        secretCommentIV: "",
+        secretCommentTag: "",
+        createdAt,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      };
+    })
+  );
+
+  // add secret versions
+  const secretV = await SecretVersion.insertMany(
+    secrets.map(
+      ({
+        _id,
+        version,
+        workspace,
+        type,
+        user,
+        environment,
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      }) => ({
+        _id: new Types.ObjectId(),
+        secret: _id,
+        version,
+        workspace,
+        type,
+        user,
+        environment,
+        isDeleted: false,
+        secretBlindIndex: secretBlindIndex ?? undefined,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        algorithm,
+        keyEncoding,
+        folder: secFolderId,
+      })
+    )
+  );
+
+  if (newFolderTree && latestFolderTree) {
+    // save the updated folder tree to the present one
+    newFolderTree.version = (latestFolderVersion?.nodes?.version || 0) + 1;
+    latestFolderTree._id = new Types.ObjectId();
+    latestFolderTree.isNew = true;
+    await latestFolderTree.save();
+
+    // create new folder version
+    const newFolderVersion = new FolderVersion({
+      workspace: workspaceId,
       environment,
-      folderId,
-    });
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to roll back secret snapshot",
+      nodes: newFolderTree,
     });
+    await newFolderVersion.save();
   }
 
+  // update secret versions of restored secrets as not deleted
+  await SecretVersion.updateMany(
+    {
+      secret: {
+        $in: Object.keys(oldSecretVersionsObj).map(
+          (sv) => oldSecretVersionsObj[sv].secret
+        ),
+      },
+    },
+    {
+      isDeleted: false,
+    }
+  );
+
+  // take secret snapshot
+  await EESecretService.takeSecretSnapshot({
+    workspaceId: new Types.ObjectId(workspaceId),
+    environment,
+    folderId,
+  });
+
   return res.status(200).send({
     secrets,
   });
@@ -587,39 +559,30 @@ export const getWorkspaceLogs = async (req: Request, res: Response) => {
         }
     }   
     */
-  let logs;
-  try {
-    const { workspaceId } = req.params;
+  const { workspaceId } = req.params;
 
-    const offset: number = parseInt(req.query.offset as string);
-    const limit: number = parseInt(req.query.limit as string);
-    const sortBy: string = req.query.sortBy as string;
-    const userId: string = req.query.userId as string;
-    const actionNames: string = req.query.actionNames as string;
+  const offset: number = parseInt(req.query.offset as string);
+  const limit: number = parseInt(req.query.limit as string);
+  const sortBy: string = req.query.sortBy as string;
+  const userId: string = req.query.userId as string;
+  const actionNames: string = req.query.actionNames as string;
 
-    logs = await Log.find({
-      workspace: workspaceId,
-      ...(userId ? { user: userId } : {}),
-      ...(actionNames
-        ? {
-            actionNames: {
-              $in: actionNames.split(","),
-            },
-          }
-        : {}),
-    })
-      .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
-      .skip(offset)
-      .limit(limit)
-      .populate("actions")
-      .populate("user serviceAccount serviceTokenData");
-  } catch (err) {
-    Sentry.setUser({ email: req.user.email });
-    Sentry.captureException(err);
-    return res.status(400).send({
-      message: "Failed to get workspace logs",
-    });
-  }
+  const logs = await Log.find({
+    workspace: workspaceId,
+    ...(userId ? { user: userId } : {}),
+    ...(actionNames
+      ? {
+          actionNames: {
+            $in: actionNames.split(","),
+          },
+        }
+      : {}),
+  })
+    .sort({ createdAt: sortBy === "recent" ? -1 : 1 })
+    .skip(offset)
+    .limit(limit)
+    .populate("actions")
+    .populate("user serviceAccount serviceTokenData");
 
   return res.status(200).send({
     logs,

backend/src/ee/routes/v1/organizations.ts

@@ -5,7 +5,7 @@ import {
     requireOrganizationAuth,
     validateRequest
 } from '../../../middleware';
-import { param, body } from 'express-validator';
+import { param, body, query } from 'express-validator';
 import { organizationsController } from '../../controllers/v1';
 import {
     OWNER, ADMIN, MEMBER, ACCEPTED
@@ -21,6 +21,7 @@ router.get(
         acceptedStatuses: [ACCEPTED]
     }),
     param('organizationId').exists().trim(),
+    query('workspaceId').optional().isString(),
     validateRequest,
     organizationsController.getOrganizationPlan
 );

backend/src/ee/services/EELicenseService.ts

@@ -1,5 +1,5 @@
-import NodeCache from 'node-cache';
 import * as Sentry from '@sentry/node';
+import NodeCache from 'node-cache';
 import { 
     getLicenseKey,
     getLicenseServerKey,
@@ -22,6 +22,8 @@ interface FeatureSet {
     workspacesUsed: number;
     memberLimit: number | null;
     membersUsed: number;
+    environmentLimit: number | null;
+    environmentsUsed: number;
     secretVersioning: boolean;
     pitRecovery: boolean;
     rbac: boolean;
@@ -50,6 +52,8 @@ class EELicenseService {
         workspacesUsed: 0,
         memberLimit: null,
         membersUsed: 0,
+        environmentLimit: null,
+        environmentsUsed: 0,
         secretVersioning: true,
         pitRecovery: true,
         rbac: true,
@@ -67,10 +71,10 @@ class EELicenseService {
         });
     }
     
-    public async getOrganizationPlan(organizationId: string): Promise<FeatureSet> {
+    public async getPlan(organizationId: string, workspaceId?: string): Promise<FeatureSet> {
         try {
             if (this.instanceType === 'cloud') {
-                const cachedPlan = this.localFeatureSet.get<FeatureSet>(organizationId);
+                const cachedPlan = this.localFeatureSet.get<FeatureSet>(`${organizationId}-${workspaceId ?? ''}`);
                 if (cachedPlan) {
                     return cachedPlan;
                 }
@@ -78,12 +82,16 @@ class EELicenseService {
                 const organization = await Organization.findById(organizationId);
                 if (!organization) throw OrganizationNotFoundError();
 
-                const { data: { currentPlan } } = await licenseServerKeyRequest.get(
-                    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`
-                );
+                let url = `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`;
+
+                if (workspaceId) {
+                    url += `?workspaceId=${workspaceId}`;
+                }
+
+                const { data: { currentPlan } } = await licenseServerKeyRequest.get(url);
 
                 // cache fetched plan for organization
-                this.localFeatureSet.set(organizationId, currentPlan);
+                this.localFeatureSet.set(`${organizationId}-${workspaceId ?? ''}`, currentPlan);
 
                 return currentPlan;
             }
@@ -93,6 +101,13 @@ class EELicenseService {
 
         return this.globalFeatureSet;
     }
+    
+    public async refreshPlan(organizationId: string, workspaceId?: string) {
+        if (this.instanceType === 'cloud') {
+            this.localFeatureSet.del(`${organizationId}-${workspaceId ?? ''}`);
+            await this.getPlan(organizationId, workspaceId);
+        }
+    }
 
     public async initGlobalFeatureSet() {
         const licenseServerKey = await getLicenseServerKey();
@@ -135,4 +150,4 @@ class EELicenseService {
     }
 }
 
-export default new EELicenseService();
+export default new EELicenseService();

backend/src/helpers/auth.ts

@@ -6,7 +6,9 @@ import {
 	User,
 	ServiceTokenData,
 	ServiceAccount,
-	APIKeyData
+	APIKeyData,
+	TokenVersion,
+	ITokenVersion
 } from '../models';
 import {
 	AccountNotFoundError,
@@ -35,7 +37,7 @@ import {
  * @param {Object} obj
  * @param {Object} obj.headers - HTTP request headers object
  */
-const validateAuthMode = ({
+export const validateAuthMode = ({
 	headers,
 	acceptedAuthModes
 }: {
@@ -97,7 +99,7 @@ const validateAuthMode = ({
  * @param {String} obj.authTokenValue - JWT token value
  * @returns {User} user - user corresponding to JWT token
  */
-const getAuthUserPayload = async ({
+export const getAuthUserPayload = async ({
 	authTokenValue
 }: {
 	authTokenValue: string;
@@ -107,14 +109,32 @@ const getAuthUserPayload = async ({
 	);
 
 	const user = await User.findOne({
-		_id: decodedToken.userId
-	}).select('+publicKey');
+		_id: new Types.ObjectId(decodedToken.userId)
+	}).select('+publicKey +accessVersion');
 
-	if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
+	if (!user) throw AccountNotFoundError({ message: 'Failed to find user' });
 
-	if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
+	if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate user with partially set up account' });
 
-	return user;
+	const tokenVersion = await TokenVersion.findOneAndUpdate({
+		_id: new Types.ObjectId(decodedToken.tokenVersionId),
+		user: user._id
+	}, {
+		lastUsed: new Date()
+	});
+	
+	if (!tokenVersion) throw UnauthorizedRequestError({
+		message: 'Failed to validate access token'
+	});
+	
+	if (decodedToken.accessVersion !== tokenVersion.accessVersion) throw UnauthorizedRequestError({
+		message: 'Failed to validate access token'
+	});
+
+	return ({
+		user,
+		tokenVersionId: tokenVersion._id
+	});
 }
 
 /**
@@ -123,7 +143,7 @@ const getAuthUserPayload = async ({
  * @param {String} obj.authTokenValue - service token value
  * @returns {ServiceTokenData} serviceTokenData - service token data
  */
-const getAuthSTDPayload = async ({
+export const getAuthSTDPayload = async ({
 	authTokenValue
 }: {
 	authTokenValue: string;
@@ -169,7 +189,7 @@ const getAuthSTDPayload = async ({
  * @param {String} obj.authTokenValue - service account access token value
  * @returns {ServiceAccount} serviceAccount
  */
-const getAuthSAAKPayload = async ({
+export const getAuthSAAKPayload = async ({
 	authTokenValue
 }: {
 	authTokenValue: string;
@@ -198,7 +218,7 @@ const getAuthSAAKPayload = async ({
  * @param {String} obj.authTokenValue - API key value
  * @returns {APIKeyData} apiKeyData - API key data
  */
-const getAuthAPIKeyPayload = async ({
+export const getAuthAPIKeyPayload = async ({
 	authTokenValue
 }: {
 	authTokenValue: string;
@@ -255,12 +275,43 @@ const getAuthAPIKeyPayload = async ({
  * @return {String} obj.token - issued JWT token
  * @return {String} obj.refreshToken - issued refresh token
  */
-const issueAuthTokens = async ({ userId }: { userId: string }) => {
+export const issueAuthTokens = async ({ 
+	userId,
+	ip,
+	userAgent
+}: { 
+	userId: Types.ObjectId;
+	ip: string;
+	userAgent: string;
+}) => {
+	let tokenVersion: ITokenVersion | null;
+
+	// continue with (session) token version matching existing ip and user agent
+	tokenVersion = await TokenVersion.findOne({
+		user: userId,
+		ip,
+		userAgent
+	});
+	
+	if (!tokenVersion) {
+		// case: no existing ip and user agent exists
+		// -> create new (session) token version for ip and user agent
+		tokenVersion = await new TokenVersion({
+			user: userId,
+			refreshVersion: 0,
+			accessVersion: 0,
+			ip,
+			userAgent,
+			lastUsed: new Date()
+		}).save();
+	}
 
 	// issue tokens
 	const token = createToken({
 		payload: {
-			userId
+			userId,
+			tokenVersionId: tokenVersion._id.toString(),
+			accessVersion: tokenVersion.accessVersion
 		},
 		expiresIn: await getJwtAuthLifetime(),
 		secret: await getJwtAuthSecret()
@@ -268,7 +319,9 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
 
 	const refreshToken = createToken({
 		payload: {
-			userId
+			userId,
+			tokenVersionId: tokenVersion._id.toString(),
+			refreshVersion: tokenVersion.refreshVersion
 		},
 		expiresIn: await getJwtRefreshLifetime(),
 		secret: await getJwtRefreshSecret()
@@ -285,13 +338,15 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
  * @param {Object} obj
  * @param {String} obj.userId - id of user whose tokens are cleared.
  */
-const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
+export const clearTokens = async (tokenVersionId: Types.ObjectId): Promise<void> => {
 	// increment refreshVersion on user by 1
-	User.findOneAndUpdate({
-		_id: userId
+
+	await TokenVersion.findOneAndUpdate({
+		_id: tokenVersionId
 	}, {
 		$inc: {
-			refreshVersion: 1
+			refreshVersion: 1,
+			accessVersion: 1
 		}
 	});
 };
@@ -304,7 +359,7 @@ const clearTokens = async ({ userId }: { userId: string }): Promise<void> => {
  * @param {String} obj.secret - (JWT) secret such as [JWT_AUTH_SECRET]
  * @param {String} obj.expiresIn - string describing time span such as '10h' or '7d'
  */
-const createToken = ({
+export const createToken = ({
 	payload,
 	expiresIn,
 	secret
@@ -318,7 +373,7 @@ const createToken = ({
 	});
 };
 
-const validateProviderAuthToken = async ({
+export const validateProviderAuthToken = async ({
 	email,
 	user,
 	providerAuthToken,
@@ -341,16 +396,4 @@ const validateProviderAuthToken = async ({
 	) {
 		throw new Error('Invalid authentication credentials.')
 	}
-}
-
-export {
-	validateAuthMode,
-	validateProviderAuthToken,
-	getAuthUserPayload,
-	getAuthSTDPayload,
-	getAuthSAAKPayload,
-	getAuthAPIKeyPayload,
-	createToken,
-	issueAuthTokens,
-	clearTokens
-};
+}

backend/src/helpers/bot.ts

@@ -31,7 +31,7 @@ import { InternalServerError } from "../utils/errors";
  * @param {String} obj.name - name of bot
  * @param {String} obj.workspaceId - id of workspace that bot belongs to
  */
-const createBot = async ({
+export const createBot = async ({
   name,
   workspaceId,
 }: {
@@ -86,6 +86,18 @@ const createBot = async ({
   });
 };
 
+/**
+ * Return whether or not workspace with id [workspaceId] is end-to-end encrypted
+ * @param {Types.ObjectId} workspaceId - id of workspace to check
+ */
+export const getIsWorkspaceE2EEHelper = async (workspaceId: Types.ObjectId) => {
+  const botKey = await BotKey.exists({
+    workspace: workspaceId
+  }); 
+  
+  return botKey ? false : true;
+}
+
 /**
  * Return decrypted secrets for workspace with id [workspaceId]
  * and [environment] using bot
@@ -93,7 +105,7 @@ const createBot = async ({
  * @param {String} obj.workspaceId - id of workspace
  * @param {String} obj.environment - environment
  */
-const getSecretsHelper = async ({
+export const getSecretsBotHelper = async ({
   workspaceId,
   environment,
 }: {
@@ -101,7 +113,7 @@ const getSecretsHelper = async ({
   environment: string;
 }) => {
   const content = {} as any;
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
   const secrets = await Secret.find({
     workspace: workspaceId,
     environment,
@@ -136,7 +148,7 @@ const getSecretsHelper = async ({
  * @param {String} obj.workspaceId - id of workspace
  * @returns {String} key - decrypted workspace key
  */
-const getKey = async ({ workspaceId }: { workspaceId: string }) => {
+export const getKey = async ({ workspaceId }: { workspaceId: Types.ObjectId }) => {
   const encryptionKey = await getEncryptionKey();
   const rootEncryptionKey = await getRootEncryptionKey();
 
@@ -194,14 +206,14 @@ const getKey = async ({ workspaceId }: { workspaceId: string }) => {
  * @param {String} obj1.workspaceId - id of workspace
  * @param {String} obj1.plaintext - plaintext to encrypt
  */
-const encryptSymmetricHelper = async ({
+export const encryptSymmetricHelper = async ({
   workspaceId,
   plaintext,
 }: {
   workspaceId: Types.ObjectId;
   plaintext: string;
 }) => {
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
   const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
     plaintext,
     key,
@@ -222,7 +234,7 @@ const encryptSymmetricHelper = async ({
  * @param {String} obj.iv - iv
  * @param {String} obj.tag - tag
  */
-const decryptSymmetricHelper = async ({
+export const decryptSymmetricHelper = async ({
   workspaceId,
   ciphertext,
   iv,
@@ -233,7 +245,7 @@ const decryptSymmetricHelper = async ({
   iv: string;
   tag: string;
 }) => {
-  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const key = await getKey({ workspaceId: workspaceId });
   const plaintext = decryptSymmetric128BitHexKeyUTF8({
     ciphertext,
     iv,
@@ -242,11 +254,4 @@ const decryptSymmetricHelper = async ({
   });
 
   return plaintext;
-};
-
-export {
-  createBot,
-  getSecretsHelper,
-  encryptSymmetricHelper,
-  decryptSymmetricHelper
-};
+};

backend/src/helpers/database.ts

@@ -7,7 +7,7 @@ import { getLogger } from '../utils/logger';
  * @param {String} obj.mongoURL - mongo connection string
  * @returns 
  */
-const initDatabaseHelper = async ({
+export const initDatabaseHelper = async ({
     mongoURL
 }: {
     mongoURL: string;
@@ -30,7 +30,7 @@ const initDatabaseHelper = async ({
 /**
  * Close database conection
  */
-const closeDatabaseHelper = async () => {
+export const closeDatabaseHelper = async () => {
     return Promise.all([
         new Promise((resolve) => {
             if (mongoose.connection && mongoose.connection.readyState == 1) {
@@ -41,9 +41,4 @@ const closeDatabaseHelper = async () => {
             }
         })
     ]);
-}
-
-export {
-    initDatabaseHelper,
-    closeDatabaseHelper
 }

backend/src/helpers/event.ts

@@ -18,7 +18,7 @@ interface Event {
  * @param {String} obj.event.workspaceId - id of workspace that event is part of
  * @param {Object} obj.event.payload - payload of event (depends on event)
  */
-const handleEventHelper = async ({ event }: { event: Event }) => {
+export const handleEventHelper = async ({ event }: { event: Event }) => {
   const { workspaceId, environment } = event;
 
   // TODO: moduralize bot check into separate function
@@ -37,6 +37,4 @@ const handleEventHelper = async ({ event }: { event: Event }) => {
       });
       break;
   }
-};
-
-export { handleEventHelper };
+};

backend/src/helpers/index.ts

@@ -0,0 +1,17 @@
+export * from './auth';
+export * from './bot';
+export * from './database';
+export * from './event';
+export * from './integration';
+export * from './key';
+export * from './membership';
+export * from './membershipOrg';
+export * from './nodemailer';
+export * from './organization';
+export * from './rateLimiter';
+export * from './secret';
+export * from './secrets';
+export * from './signup';
+export * from './token';
+export * from './user';
+export * from './workspace';

backend/src/helpers/integration.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import {
     Bot,
@@ -16,7 +15,6 @@ import {
 import { 
     UnauthorizedRequestError,
 } from '../utils/errors';
-import RequestError from '../utils/requestError';
 
 interface Update {
     workspace: string;
@@ -37,7 +35,7 @@ interface Update {
  * @param {String} obj.code - code
  * @returns {IntegrationAuth} integrationAuth - integration auth after OAuth2 code-token exchange
 */
-const handleOAuthExchangeHelper = async ({
+export const handleOAuthExchangeHelper = async ({
     workspaceId,
     integration,
     code,
@@ -48,66 +46,59 @@ const handleOAuthExchangeHelper = async ({
     code: string;
     environment: string;
 }) => {
-    let integrationAuth;
-    try {
-        const bot = await Bot.findOne({
-            workspace: workspaceId,
-            isActive: true
+    const bot = await Bot.findOne({
+        workspace: workspaceId,
+        isActive: true
+    });
+    
+    if (!bot) throw new Error('Bot must be enabled for OAuth2 code-token exchange');
+    
+    // exchange code for access and refresh tokens
+    const res = await exchangeCode({
+        integration,
+        code
+    });
+    
+    const update: Update = {
+        workspace: workspaceId,
+        integration
+    }
+    
+    switch (integration) {
+        case INTEGRATION_VERCEL:
+            update.teamId = res.teamId;
+            break;
+        case INTEGRATION_NETLIFY:
+            update.accountId = res.accountId;
+            break;
+    }
+    
+    const integrationAuth = await IntegrationAuth.findOneAndUpdate({
+        workspace: workspaceId,
+        integration
+    }, update, {
+        new: true,
+        upsert: true
+    });
+    
+    if (res.refreshToken) {
+        // case: refresh token returned from exchange
+        // set integration auth refresh token
+        await setIntegrationAuthRefreshHelper({
+            integrationAuthId: integrationAuth._id.toString(),
+            refreshToken: res.refreshToken
         });
-        
-        if (!bot) throw new Error('Bot must be enabled for OAuth2 code-token exchange');
-        
-        // exchange code for access and refresh tokens
-        const res = await exchangeCode({
-            integration,
-            code
+    }
+    
+    if (res.accessToken) {
+        // case: access token returned from exchange
+        // set integration auth access token
+        await setIntegrationAuthAccessHelper({
+            integrationAuthId: integrationAuth._id.toString(),
+            accessId: null,
+            accessToken: res.accessToken,
+            accessExpiresAt: res.accessExpiresAt
         });
-        
-        const update: Update = {
-            workspace: workspaceId,
-            integration
-        }
-        
-        switch (integration) {
-            case INTEGRATION_VERCEL:
-                update.teamId = res.teamId;
-                break;
-            case INTEGRATION_NETLIFY:
-                update.accountId = res.accountId;
-                break;
-        }
-        
-        integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            workspace: workspaceId,
-            integration
-        }, update, {
-            new: true,
-            upsert: true
-        });
-        
-        if (res.refreshToken) {
-            // case: refresh token returned from exchange
-            // set integration auth refresh token
-            await setIntegrationAuthRefreshHelper({
-                integrationAuthId: integrationAuth._id.toString(),
-                refreshToken: res.refreshToken
-            });
-        }
-        
-        if (res.accessToken) {
-            // case: access token returned from exchange
-            // set integration auth access token
-            await setIntegrationAuthAccessHelper({
-                integrationAuthId: integrationAuth._id.toString(),
-                accessId: null,
-                accessToken: res.accessToken,
-                accessExpiresAt: res.accessExpiresAt
-            });
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to handle OAuth2 code-token exchange')
     }
     
     return integrationAuth;
@@ -118,54 +109,47 @@ const handleOAuthExchangeHelper = async ({
  * @param {Object} obj
  * @param {Object} obj.workspaceId - id of workspace
  */
-const syncIntegrationsHelper = async ({
+export const syncIntegrationsHelper = async ({
     workspaceId,
     environment
 }: {
     workspaceId: Types.ObjectId;
     environment?: string;
 }) => {
-    let integrations;
-    try {
-        integrations = await Integration.find({
-            workspace: workspaceId,
-            ...(environment ? {
-                environment
-            } : {}),
-            isActive: true,
-            app: { $ne: null }
+    const integrations = await Integration.find({
+        workspace: workspaceId,
+        ...(environment ? {
+            environment
+        } : {}),
+        isActive: true,
+        app: { $ne: null }
+    });
+
+    // for each workspace integration, sync/push secrets
+    // to that integration
+    for await (const integration of integrations) {
+        // get workspace, environment (shared) secrets
+        const secrets = await BotService.getSecrets({ // issue here?
+            workspaceId: integration.workspace,
+            environment: integration.environment
         });
 
-        // for each workspace integration, sync/push secrets
-        // to that integration
-        for await (const integration of integrations) {
-            // get workspace, environment (shared) secrets
-            const secrets = await BotService.getSecrets({ // issue here?
-                workspaceId: integration.workspace,
-                environment: integration.environment
-            });
+        const integrationAuth = await IntegrationAuth.findById(integration.integrationAuth);
+        if (!integrationAuth) throw new Error('Failed to find integration auth');
+        
+        // get integration auth access token
+        const access = await getIntegrationAuthAccessHelper({
+            integrationAuthId: integration.integrationAuth
+        });
 
-            const integrationAuth = await IntegrationAuth.findById(integration.integrationAuth);
-            if (!integrationAuth) throw new Error('Failed to find integration auth');
-            
-            // get integration auth access token
-            const access = await getIntegrationAuthAccessHelper({
-                integrationAuthId: integration.integrationAuth
-            });
-
-            // sync secrets to integration
-            await syncSecrets({
-                integration,
-                integrationAuth,
-                secrets,
-                accessId: access.accessId === undefined ? null : access.accessId,
-                accessToken: access.accessToken
-            });
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to sync secrets to integrations');
+        // sync secrets to integration
+        await syncSecrets({
+            integration,
+            integrationAuth,
+            secrets,
+            accessId: access.accessId === undefined ? null : access.accessId,
+            accessToken: access.accessToken
+        });
     }
 }
 
@@ -177,31 +161,19 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} refreshToken - decrypted refresh token
  */
- const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
-    let refreshToken;
-	
-    try {
-        const integrationAuth = await IntegrationAuth
-            .findById(integrationAuthId)
-            .select('+refreshCiphertext +refreshIV +refreshTag');
+export const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
+    const integrationAuth = await IntegrationAuth
+        .findById(integrationAuthId)
+        .select('+refreshCiphertext +refreshIV +refreshTag');
 
-        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
+    if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
-        refreshToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace,
-            ciphertext: integrationAuth.refreshCiphertext as string,
-            iv: integrationAuth.refreshIV as string,
-            tag: integrationAuth.refreshTag as string
-        });
-
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        if(err instanceof RequestError)
-            throw err
-        else
-            throw new Error('Failed to get integration refresh token');
-    }
+    const refreshToken = await BotService.decryptSymmetric({
+        workspaceId: integrationAuth.workspace,
+        ciphertext: integrationAuth.refreshCiphertext as string,
+        iv: integrationAuth.refreshIV as string,
+        tag: integrationAuth.refreshTag as string
+    });
     
     return refreshToken;
 }
@@ -214,53 +186,43 @@ const syncIntegrationsHelper = async ({
  * @param {String} obj.integrationAuthId - id of integration auth
  * @returns {String} accessToken - decrypted access token
  */
-const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
+export const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: Types.ObjectId }) => {
     let accessId;
     let accessToken;
-    try {
-        const integrationAuth = await IntegrationAuth
-            .findById(integrationAuthId)
-            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag');
+    const integrationAuth = await IntegrationAuth
+        .findById(integrationAuthId)
+        .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag');
 
-        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
+    if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
 
-        accessToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace,
-            ciphertext: integrationAuth.accessCiphertext as string,
-            iv: integrationAuth.accessIV as string,
-            tag: integrationAuth.accessTag as string
-        });
+    accessToken = await BotService.decryptSymmetric({
+        workspaceId: integrationAuth.workspace,
+        ciphertext: integrationAuth.accessCiphertext as string,
+        iv: integrationAuth.accessIV as string,
+        tag: integrationAuth.accessTag as string
+    });
 
-        if (integrationAuth?.accessExpiresAt && integrationAuth?.refreshCiphertext) {
-            // there is a access token expiration date
-            // and refresh token to exchange with the OAuth2 server
-            
-            if (integrationAuth.accessExpiresAt < new Date()) {
-                // access token is expired
-                const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
-                accessToken = await exchangeRefresh({
-                    integrationAuth,
-                    refreshToken
-                });
-            }
-        }
+    if (integrationAuth?.accessExpiresAt && integrationAuth?.refreshCiphertext) {
+        // there is a access token expiration date
+        // and refresh token to exchange with the OAuth2 server
         
-        if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
-            accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace,
-                ciphertext: integrationAuth.accessIdCiphertext as string,
-                iv: integrationAuth.accessIdIV as string,
-                tag: integrationAuth.accessIdTag as string
+        if (integrationAuth.accessExpiresAt < new Date()) {
+            // access token is expired
+            const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
+            accessToken = await exchangeRefresh({
+                integrationAuth,
+                refreshToken
             });
         }
-
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        if(err instanceof RequestError)
-            throw err
-        else
-            throw new Error('Failed to get integration access token');
+    }
+    
+    if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
+        accessId = await BotService.decryptSymmetric({
+            workspaceId: integrationAuth.workspace,
+            ciphertext: integrationAuth.accessIdCiphertext as string,
+            iv: integrationAuth.accessIdIV as string,
+            tag: integrationAuth.accessIdTag as string
+        });
     }
     
     return ({
@@ -277,7 +239,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
  * @param {String} obj.integrationAuthId - id of integration auth
  * @param {String} obj.refreshToken - refresh token
  */
-const setIntegrationAuthRefreshHelper = async ({
+export const setIntegrationAuthRefreshHelper = async ({
     integrationAuthId,
     refreshToken
 }: {
@@ -285,34 +247,27 @@ const setIntegrationAuthRefreshHelper = async ({
     refreshToken: string;
 }) => {
     
-    let integrationAuth;
-    try {
-        integrationAuth = await IntegrationAuth
-            .findById(integrationAuthId);
-        
-        if (!integrationAuth) throw new Error('Failed to find integration auth');
-        
-        const obj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace,
-            plaintext: refreshToken
-        });
-        
-        integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            _id: integrationAuthId
-        }, {
-            refreshCiphertext: obj.ciphertext,
-            refreshIV: obj.iv,
-            refreshTag: obj.tag,
-            algorithm: ALGORITHM_AES_256_GCM,
-            keyEncoding: ENCODING_SCHEME_UTF8
-        }, {
-            new: true
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to set integration auth refresh token');
-    }
+    let integrationAuth = await IntegrationAuth
+        .findById(integrationAuthId);
+    
+    if (!integrationAuth) throw new Error('Failed to find integration auth');
+    
+    const obj = await BotService.encryptSymmetric({
+        workspaceId: integrationAuth.workspace,
+        plaintext: refreshToken
+    });
+    
+    integrationAuth = await IntegrationAuth.findOneAndUpdate({
+        _id: integrationAuthId
+    }, {
+        refreshCiphertext: obj.ciphertext,
+        refreshIV: obj.iv,
+        refreshTag: obj.tag,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8
+    }, {
+        new: true
+    });
     
     return integrationAuth;
 }
@@ -326,7 +281,7 @@ const setIntegrationAuthRefreshHelper = async ({
  * @param {String} obj.accessToken - access token
  * @param {Date} obj.accessExpiresAt - expiration date of access token
  */
-const setIntegrationAuthAccessHelper = async ({
+export const setIntegrationAuthAccessHelper = async ({
     integrationAuthId,
     accessId,
     accessToken,
@@ -337,54 +292,38 @@ const setIntegrationAuthAccessHelper = async ({
     accessToken: string;
     accessExpiresAt: Date | undefined;
 }) => {
-    let integrationAuth;
-    try {
-        integrationAuth = await IntegrationAuth.findById(integrationAuthId);
-        
-        if (!integrationAuth) throw new Error('Failed to find integration auth');
-        
-        const encryptedAccessTokenObj = await BotService.encryptSymmetric({
+    let integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+    
+    if (!integrationAuth) throw new Error('Failed to find integration auth');
+    
+    const encryptedAccessTokenObj = await BotService.encryptSymmetric({
+        workspaceId: integrationAuth.workspace,
+        plaintext: accessToken
+    });
+    
+    let encryptedAccessIdObj;
+    if (accessId) {
+        encryptedAccessIdObj = await BotService.encryptSymmetric({
             workspaceId: integrationAuth.workspace,
-            plaintext: accessToken
-        });
-        
-        let encryptedAccessIdObj;
-        if (accessId) {
-            encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace,
-                plaintext: accessId
-            }); 
-        }
-        
-        integrationAuth = await IntegrationAuth.findOneAndUpdate({
-            _id: integrationAuthId
-        }, {
-            accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
-            accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
-            accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
-            accessCiphertext: encryptedAccessTokenObj.ciphertext,
-            accessIV: encryptedAccessTokenObj.iv,
-            accessTag: encryptedAccessTokenObj.tag,
-            accessExpiresAt,
-            algorithm: ALGORITHM_AES_256_GCM,
-            keyEncoding: ENCODING_SCHEME_UTF8
-        }, {
-            new: true
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to save integration auth access token');
+            plaintext: accessId
+        }); 
     }
     
+    integrationAuth = await IntegrationAuth.findOneAndUpdate({
+        _id: integrationAuthId
+    }, {
+        accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
+        accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
+        accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
+        accessCiphertext: encryptedAccessTokenObj.ciphertext,
+        accessIV: encryptedAccessTokenObj.iv,
+        accessTag: encryptedAccessTokenObj.tag,
+        accessExpiresAt,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8
+    }, {
+        new: true
+    });
+    
     return integrationAuth;
-}
-
-export {
-    handleOAuthExchangeHelper,
-    syncIntegrationsHelper,
-    getIntegrationAuthRefreshHelper,
-    getIntegrationAuthAccessHelper,
-    setIntegrationAuthRefreshHelper,
-    setIntegrationAuthAccessHelper
-}
+}

backend/src/helpers/key.ts

@@ -17,7 +17,7 @@ interface Key {
  * @param {String} obj.keys.nonce - nonce for encryption
  * @param {String} obj.keys.userId - id of receiver user
  */
-const pushKeys = async ({
+export const pushKeys = async ({
 	userId,
 	workspaceId,
 	keys
@@ -50,6 +50,4 @@ const pushKeys = async ({
       workspace: workspaceId
     }))
   );
-};
-
-export { pushKeys };
+};

backend/src/helpers/membership.ts

@@ -1,7 +1,6 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { Membership, Key } from '../models';
-import { MembershipNotFoundError, BadRequestError } from '../utils/errors';
+import { Types } from "mongoose";
+import { Membership, Key } from "../models";
+import { MembershipNotFoundError, BadRequestError } from "../utils/errors";
 
 /**
  * Validate that user with id [userId] is a member of workspace with id [workspaceId]
@@ -11,30 +10,30 @@ import { MembershipNotFoundError, BadRequestError } from '../utils/errors';
  * @param {String} obj.workspaceId - id of workspace
  * @returns {Membership} membership - membership of user with id [userId] for workspace with id [workspaceId]
  */
-const validateMembership = async ({
-  userId,
-  workspaceId,
-  acceptedRoles,
+export const validateMembership = async ({
+	userId,
+	workspaceId,
+	acceptedRoles,
 }: {
   userId: Types.ObjectId | string;
   workspaceId: Types.ObjectId | string;
-  acceptedRoles?: Array<'admin' | 'member'>;
+  acceptedRoles?: Array<"admin" | "member">;
 }) => {
   const membership = await Membership.findOne({
     user: userId,
     workspace: workspaceId,
-  }).populate('workspace');
+  }).populate("workspace");
 
   if (!membership) {
     throw MembershipNotFoundError({
-      message: 'Failed to find workspace membership',
+      message: "Failed to find workspace membership",
     });
   }
 
   if (acceptedRoles) {
     if (!acceptedRoles.includes(membership.role)) {
       throw BadRequestError({
-        message: 'Failed authorization for membership role',
+        message: "Failed authorization for membership role",
       });
     }
   }
@@ -47,16 +46,8 @@ const validateMembership = async ({
  * @param {Object} queryObj - query object
  * @return {Object} membership - membership
  */
-const findMembership = async (queryObj: any) => {
-  let membership;
-  try {
-    membership = await Membership.findOne(queryObj);
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to find membership');
-  }
-
+export const findMembership = async (queryObj: any) => {
+	const membership = await Membership.findOne(queryObj);
   return membership;
 };
 
@@ -68,40 +59,33 @@ const findMembership = async (queryObj: any) => {
  * @param {String} obj.workspaceId - id of workspace.
  * @param {String[]} obj.roles - roles of users.
  */
-const addMemberships = async ({
-  userIds,
-  workspaceId,
-  roles,
+export const addMemberships = async ({
+	userIds,
+	workspaceId,
+	roles
 }: {
   userIds: string[];
   workspaceId: string;
   roles: string[];
 }): Promise<void> => {
-  try {
-    const operations = userIds.map((userId, idx) => {
-      return {
-        updateOne: {
-          filter: {
-            user: userId,
-            workspace: workspaceId,
-            role: roles[idx],
-          },
-          update: {
-            user: userId,
-            workspace: workspaceId,
-            role: roles[idx],
-          },
-          upsert: true,
+  const operations = userIds.map((userId, idx) => {
+    return {
+      updateOne: {
+        filter: {
+          user: userId,
+          workspace: workspaceId,
+          role: roles[idx],
         },
-      };
-    });
-
-    await Membership.bulkWrite(operations as any);
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to add users to workspace');
-  }
+        update: {
+          user: userId,
+          workspace: workspaceId,
+          role: roles[idx],
+        },
+        upsert: true,
+      },
+    };
+  });
+  await Membership.bulkWrite(operations as any);
 };
 
 /**
@@ -109,28 +93,19 @@ const addMemberships = async ({
  * @param {Object} obj
  * @param {String} obj.membershipId - id of membership to delete
  */
-const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
-  let deletedMembership;
-  try {
-    deletedMembership = await Membership.findOneAndDelete({
-      _id: membershipId,
-    });
+export const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
+	const deletedMembership = await Membership.findOneAndDelete({
+    _id: membershipId
+  });
 
-    // delete keys associated with the membership
-    if (deletedMembership?.user) {
-      // case: membership had a registered user
-      await Key.deleteMany({
-        receiver: deletedMembership.user,
-        workspace: deletedMembership.workspace,
-      });
-    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to delete membership');
+  // delete keys associated with the membership
+  if (deletedMembership?.user) {
+    // case: membership had a registered user
+    await Key.deleteMany({
+      receiver: deletedMembership.user,
+      workspace: deletedMembership.workspace,
+    });
   }
 
-  return deletedMembership;
+	return deletedMembership;
 };
-
-export { validateMembership, addMemberships, findMembership, deleteMembership };

backend/src/helpers/membershipOrg.ts

@@ -18,7 +18,7 @@ import {
  * @param {Types.ObjectId} obj.organizationId
  * @param {String[]} obj.acceptedRoles
  */
-const validateMembershipOrg = async ({
+export const validateMembershipOrg = async ({
 	userId,
 	organizationId,
 	acceptedRoles,
@@ -59,7 +59,7 @@ const validateMembershipOrg = async ({
  * @param {Object} queryObj - query object
  * @return {Object} membershipOrg - membership
  */
-const findMembershipOrg = (queryObj: any) => {
+export const findMembershipOrg = (queryObj: any) => {
 	const membershipOrg = MembershipOrg.findOne(queryObj);
 	return membershipOrg;
 };
@@ -72,7 +72,7 @@ const findMembershipOrg = (queryObj: any) => {
  * @param {String} obj.organizationId - id of organization.
  * @param {String[]} obj.roles - roles of users.
  */
-const addMembershipsOrg = async ({
+export const addMembershipsOrg = async ({
 	userIds,
 	organizationId,
 	roles,
@@ -111,7 +111,7 @@ const addMembershipsOrg = async ({
  * @param {Object} obj
  * @param {String} obj.membershipOrgId - id of organization membership to delete
  */
-const deleteMembershipOrg = async ({
+export const deleteMembershipOrg = async ({
 	membershipOrgId
 }: {
 	membershipOrgId: string;
@@ -148,11 +148,4 @@ const deleteMembershipOrg = async ({
   }
 
 	return deletedMembershipOrg;
-};
-
-export {
-	validateMembershipOrg,
-	findMembershipOrg,
-	addMembershipsOrg, 
-	deleteMembershipOrg 
-}; 
+};

backend/src/helpers/nodemailer.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import fs from 'fs';
 import path from 'path';
 import handlebars from 'handlebars';
@@ -14,7 +13,7 @@ let smtpTransporter: nodemailer.Transporter;
  * @param {String[]} obj.recipients - email addresses of people to send email to
  * @param {Object} obj.substitutions - object containing template substitutions
  */
-const sendMail = async ({
+export const sendMail = async ({
   template,
   subjectLine,
   recipients,
@@ -26,29 +25,22 @@ const sendMail = async ({
   substitutions: any;
 }) => {
   if (await getSmtpConfigured()) {
-    try {
-      const html = fs.readFileSync(
-        path.resolve(__dirname, '../templates/' + template),
-        'utf8'
-      );
-      const temp = handlebars.compile(html);
-      const htmlToSend = temp(substitutions);
+    const html = fs.readFileSync(
+      path.resolve(__dirname, '../templates/' + template),
+      'utf8'
+    );
+    const temp = handlebars.compile(html);
+    const htmlToSend = temp(substitutions);
 
-      await smtpTransporter.sendMail({
-        from: `"${await getSmtpFromName()}" <${await getSmtpFromAddress()}>`,
-        to: recipients.join(', '),
-        subject: subjectLine,
-        html: htmlToSend
-      });
-    } catch (err) {
-      Sentry.setUser(null);
-      Sentry.captureException(err);
-    }
+    await smtpTransporter.sendMail({
+      from: `"${await getSmtpFromName()}" <${await getSmtpFromAddress()}>`,
+      to: recipients.join(', '),
+      subject: subjectLine,
+      html: htmlToSend
+    });
   }
 };
 
-const setTransporter = (transporter: nodemailer.Transporter) => {
+export const setTransporter = (transporter: nodemailer.Transporter) => {
   smtpTransporter = transporter;
-};
-
-export { sendMail, setTransporter };
+};

backend/src/helpers/organization.ts

@@ -28,7 +28,7 @@ import {
  * @param {String} obj.email - POC email that will receive invoice info
  * @param {Object} organization - new organization
  */
-const createOrganization = async ({
+export const createOrganization = async ({
   name,
   email,
 }: {
@@ -70,7 +70,7 @@ const createOrganization = async ({
  * @return {Object} obj.stripeSubscription - new stripe subscription
  * @return {Subscription} obj.subscription - new subscription
  */
-const initSubscriptionOrg = async ({
+export const initSubscriptionOrg = async ({
   organizationId,
 }: {
   organizationId: Types.ObjectId;
@@ -125,7 +125,7 @@ const initSubscriptionOrg = async ({
  * @param {Object} obj
  * @param {Number} obj.organizationId - id of subscription's organization
  */
-const updateSubscriptionOrgQuantity = async ({
+export const updateSubscriptionOrgQuantity = async ({
   organizationId,
 }: {
   organizationId: string;
@@ -153,28 +153,24 @@ const updateSubscriptionOrgQuantity = async ({
 
       EELicenseService.localFeatureSet.del(organizationId);
     }
-    
-    if (EELicenseService.instanceType === 'enterprise-self-hosted') {
-      // instance of Infisical is an enterprise self-hosted instance
-      
-      const usedSeats = await MembershipOrg.countDocuments({
-        status: ACCEPTED
-      });
-
-      await licenseKeyRequest.patch(
-        `${await getLicenseServerUrl()}/api/license/v1/license`,
-        {
-          usedSeats
-        }
-      );
-    }
   }
 
-  return stripeSubscription;
-};
+  if (EELicenseService.instanceType === 'enterprise-self-hosted') {
+    // instance of Infisical is an enterprise self-hosted instance
+    
+    const usedSeats = await MembershipOrg.countDocuments({
+      status: ACCEPTED
+    });
 
-export {
-  createOrganization,
-  initSubscriptionOrg,
-  updateSubscriptionOrgQuantity
-};
+    await licenseKeyRequest.patch(
+      `${await getLicenseServerUrl()}/api/license/v1/license`,
+      {
+        usedSeats
+      }
+    );
+  }
+
+  await EELicenseService.refreshPlan(organizationId);
+
+  return stripeSubscription;
+};

backend/src/helpers/rateLimiter.ts

@@ -1,70 +1,64 @@
 import rateLimit from 'express-rate-limit';
-const MongoStore = require('rate-limit-mongo');
+// const MongoStore = require('rate-limit-mongo');
 
 // 200 per minute
-const apiLimiter = rateLimit({
-  store: new MongoStore({
-    uri: process.env.MONGO_URL,
-    expireTimeMs: 1000 * 60,
-    collectionName: "expressRateRecords-apiLimiter",
-    errorHandler: console.error.bind(null, 'rate-limit-mongo')
-  }),
-  windowMs: 1000 * 60,
-  max: 200,
+export const apiLimiter = rateLimit({
+  // store: new MongoStore({
+  //   uri: process.env.MONGO_URL,
+  //   expireTimeMs: 1000 * 60,
+  //   collectionName: "expressRateRecords-apiLimiter",
+  //   errorHandler: console.error.bind(null, 'rate-limit-mongo')
+  // }),
+  windowMs: 60 * 1000,
+  max: 240,
   standardHeaders: true,
   legacyHeaders: false,
   skip: (request) => {
     return request.path === '/healthcheck' || request.path === '/api/status'
   },
   keyGenerator: (req, res) => {
-    return req.clientIp
+    return req.realIP
   }
 });
 
 // 50 requests per 1 hours
 const authLimit = rateLimit({
-  store: new MongoStore({
-    uri: process.env.MONGO_URL,
-    expireTimeMs: 1000 * 60 * 60,
-    errorHandler: console.error.bind(null, 'rate-limit-mongo'),
-    collectionName: "expressRateRecords-authLimit",
-  }),
-  windowMs: 1000 * 60 * 60,
-  max: 50,
+  // store: new MongoStore({
+  //   uri: process.env.MONGO_URL,
+  //   expireTimeMs: 1000 * 60 * 60,
+  //   errorHandler: console.error.bind(null, 'rate-limit-mongo'),
+  //   collectionName: "expressRateRecords-authLimit",
+  // }),
+  windowMs: 60 * 1000,
+  max: 10,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {
-    return req.clientIp
+    return req.realIP
   }
 });
 
-// 50 requests per 1 hour
-const passwordLimiter = rateLimit({
-  store: new MongoStore({
-    uri: process.env.MONGO_URL,
-    expireTimeMs: 1000 * 60 * 60,
-    errorHandler: console.error.bind(null, 'rate-limit-mongo'),
-    collectionName: "expressRateRecords-passwordLimiter",
-  }),
-  windowMs: 1000 * 60 * 60,
-  max: 50,
+// 5 requests per 1 hour
+export const passwordLimiter = rateLimit({
+  // store: new MongoStore({
+  //   uri: process.env.MONGO_URL,
+  //   expireTimeMs: 1000 * 60 * 60,
+  //   errorHandler: console.error.bind(null, 'rate-limit-mongo'),
+  //   collectionName: "expressRateRecords-passwordLimiter",
+  // }),
+  windowMs: 60 * 60 * 1000,
+  max: 10,
   standardHeaders: true,
   legacyHeaders: false,
   keyGenerator: (req, res) => {
-    return req.clientIp
+    return req.realIP
   }
 });
 
-const authLimiter = (req: any, res: any, next: any) => {
+export const authLimiter = (req: any, res: any, next: any) => {
   if (process.env.NODE_ENV === 'production') {
     authLimit(req, res, next);
   } else {
     next();
   }
-};
-
-export {
-  apiLimiter,
-  authLimiter,
-  passwordLimiter
-};
+};

backend/src/helpers/secret.ts

@@ -60,7 +60,7 @@ interface Update {
  * @param {String} obj.environment - environment for secrets
  * @param {Object[]} obj.secrets - secrets to push
  */
-const v1PushSecrets = async ({
+export const v1PushSecrets = async ({
   userId,
   workspaceId,
   environment,
@@ -304,7 +304,7 @@ const v1PushSecrets = async ({
  * @param {String} obj.channel - channel (web/cli/auto)
  * @param {String} obj.ipAddress - ip address of request to push secrets
  */
-const v2PushSecrets = async ({
+export const v2PushSecrets = async ({
   userId,
   workspaceId,
   environment,
@@ -530,7 +530,7 @@ const v2PushSecrets = async ({
  * @param {String} obj.workspaceId - id of workspace to pull from
  * @param {String} obj.environment - environment for secrets
  */
-const getSecrets = async ({
+export const getSecrets = async ({
   userId,
   workspaceId,
   environment,
@@ -570,7 +570,7 @@ const getSecrets = async ({
  * @param {String} obj.channel - channel (web/cli/auto)
  * @param {String} obj.ipAddress - ip address of request to push secrets
  */
-const pullSecrets = async ({
+export const pullSecrets = async ({
   userId,
   workspaceId,
   environment,
@@ -614,7 +614,7 @@ const pullSecrets = async ({
  * @param {Object} obj
  * @param {Object} obj.secrets
  */
-const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
+export const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
   const reformatedSecrets = secrets.map((s) => ({
     _id: s._id,
     workspace: s.workspace,
@@ -644,6 +644,4 @@ const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
   }));
 
   return reformatedSecrets;
-};
-
-export { v1PushSecrets, v2PushSecrets, pullSecrets, reformatPullSecrets };
+};

backend/src/helpers/secrets.ts

@@ -1,4 +1,4 @@
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import {
   CreateSecretParams,
   GetSecretsParams,
@@ -6,14 +6,20 @@ import {
   UpdateSecretParams,
   DeleteSecretParams,
 } from '../interfaces/services/SecretService';
-import { Secret, ISecret, SecretBlindIndexData } from '../models';
-import { SecretVersion } from '../ee/models';
+import {
+  Secret,
+  ISecret,
+  SecretBlindIndexData,
+  ServiceTokenData,
+} from "../models";
+import { SecretVersion } from "../ee/models";
 import {
   BadRequestError,
   SecretNotFoundError,
   SecretBlindIndexDataNotFoundError,
   InternalServerError,
-} from '../utils/errors';
+  UnauthorizedRequestError,
+} from "../utils/errors";
 import {
   SECRET_PERSONAL,
   SECRET_SHARED,
@@ -24,20 +30,75 @@ import {
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
   ENCODING_SCHEME_BASE64,
-} from '../variables';
-import crypto from 'crypto';
-import * as argon2 from 'argon2';
+} from "../variables";
+import crypto from "crypto";
+import * as argon2 from "argon2";
 import {
   encryptSymmetric128BitHexKeyUTF8,
   decryptSymmetric128BitHexKeyUTF8,
 } from '../utils/crypto';
-import { getEncryptionKey, client, getRootEncryptionKey } from '../config';
 import { TelemetryService } from '../services';
-import { EESecretService, EELogService } from '../ee/services';
+import { getEncryptionKey, client, getRootEncryptionKey } from "../config";
+import { EESecretService, EELogService } from "../ee/services";
 import {
   getAuthDataPayloadIdObj,
   getAuthDataPayloadUserObj,
-} from '../utils/auth';
+} from "../utils/auth";
+import { getFolderIdFromServiceToken } from "../services/FolderService";
+
+/**
+ * Returns an object containing secret [secret] but with its value, key, comment decrypted.
+ * 
+ * Precondition: the workspace for secret [secret] must have E2EE disabled
+ * @param {ISecret} secret - secret to repackage to raw
+ * @param {String} key - symmetric key to use to decrypt secret
+ * @returns 
+ */
+export const repackageSecretToRaw = ({
+  secret,
+  key
+}:{
+  secret: ISecret;
+  key: string;
+}) => {
+
+  const secretKey = decryptSymmetric128BitHexKeyUTF8({
+    ciphertext: secret.secretKeyCiphertext,
+    iv: secret.secretKeyIV,
+    tag: secret.secretKeyTag,
+    key
+  });
+
+  const secretValue = decryptSymmetric128BitHexKeyUTF8({
+    ciphertext: secret.secretValueCiphertext,
+    iv: secret.secretValueIV,
+    tag: secret.secretValueTag,
+    key
+  });
+
+  let secretComment: string = ''; 
+  
+  if (secret.secretCommentCiphertext && secret.secretCommentIV && secret.secretCommentTag) {
+    secretComment = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretCommentCiphertext,
+      iv: secret.secretCommentIV,
+      tag: secret.secretCommentTag,
+      key
+    });
+  }
+  
+  return ({
+    _id: secret._id,
+    version: secret.version,
+    workspace: secret.workspace,
+    type: secret.type,
+    environment: secret.environment,
+    user: secret.user,
+    secretKey,
+    secretValue,
+    secretComment
+  });
+}
 
 /**
  * Create secret blind index data containing encrypted blind index [salt]
@@ -45,13 +106,13 @@ import {
  * @param {Object} obj
  * @param {Types.ObjectId} obj.workspaceId
  */
-const createSecretBlindIndexDataHelper = async ({
+export const createSecretBlindIndexDataHelper = async ({
   workspaceId,
 }: {
   workspaceId: Types.ObjectId;
 }) => {
   // initialize random blind index salt for workspace
-  const salt = crypto.randomBytes(16).toString('base64');
+  const salt = crypto.randomBytes(16).toString("base64");
 
   const encryptionKey = await getEncryptionKey();
   const rootEncryptionKey = await getRootEncryptionKey();
@@ -98,7 +159,7 @@ const createSecretBlindIndexDataHelper = async ({
  * @param {Types.ObjectId} obj.workspaceId - id of workspace to get salt for
  * @returns
  */
-const getSecretBlindIndexSaltHelper = async ({
+export const getSecretBlindIndexSaltHelper = async ({
   workspaceId,
 }: {
   workspaceId: Types.ObjectId;
@@ -108,7 +169,7 @@ const getSecretBlindIndexSaltHelper = async ({
 
   const secretBlindIndexData = await SecretBlindIndexData.findOne({
     workspace: workspaceId,
-  }).select('+algorithm +keyEncoding');
+  }).select("+algorithm +keyEncoding");
 
   if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
 
@@ -136,7 +197,7 @@ const getSecretBlindIndexSaltHelper = async ({
   }
 
   throw InternalServerError({
-    message: 'Failed to obtain workspace salt needed for secret blind indexing',
+    message: "Failed to obtain workspace salt needed for secret blind indexing",
   });
 };
 
@@ -147,7 +208,7 @@ const getSecretBlindIndexSaltHelper = async ({
  * @param {String} obj.secretName - name of secret to generate blind index for
  * @param {String} obj.salt - base64-salt
  */
-const generateSecretBlindIndexWithSaltHelper = async ({
+export const generateSecretBlindIndexWithSaltHelper = async ({
   secretName,
   salt,
 }: {
@@ -158,14 +219,14 @@ const generateSecretBlindIndexWithSaltHelper = async ({
   const secretBlindIndex = (
     await argon2.hash(secretName, {
       type: argon2.argon2id,
-      salt: Buffer.from(salt, 'base64'),
+      salt: Buffer.from(salt, "base64"),
       saltLength: 16, // default 16 bytes
       memoryCost: 65536, // default pool of 64 MiB per thread.
       hashLength: 32,
       parallelism: 1,
       raw: true,
     })
-  ).toString('base64');
+  ).toString("base64");
 
   return secretBlindIndex;
 };
@@ -177,7 +238,7 @@ const generateSecretBlindIndexWithSaltHelper = async ({
  * @param {Stringj} obj.secretName - name of secret to generate blind index for
  * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
  */
-const generateSecretBlindIndexHelper = async ({
+export const generateSecretBlindIndexHelper = async ({
   secretName,
   workspaceId,
 }: {
@@ -185,26 +246,56 @@ const generateSecretBlindIndexHelper = async ({
   workspaceId: Types.ObjectId;
 }) => {
   // check if workspace blind index data exists
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
   const secretBlindIndexData = await SecretBlindIndexData.findOne({
     workspace: workspaceId,
-  });
+  }).select("+algorithm +keyEncoding");
 
   if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
 
-  // decrypt workspace salt
-  const salt = decryptSymmetric128BitHexKeyUTF8({
-    ciphertext: secretBlindIndexData.encryptedSaltCiphertext,
-    iv: secretBlindIndexData.saltIV,
-    tag: secretBlindIndexData.saltTag,
-    key: await getEncryptionKey(),
-  });
+  let salt;
+  if (
+    rootEncryptionKey &&
+    secretBlindIndexData.keyEncoding === ENCODING_SCHEME_BASE64
+  ) {
+    salt = client.decryptSymmetric(
+      secretBlindIndexData.encryptedSaltCiphertext,
+      rootEncryptionKey,
+      secretBlindIndexData.saltIV,
+      secretBlindIndexData.saltTag
+    );
 
-  const secretBlindIndex = await generateSecretBlindIndexWithSaltHelper({
-    secretName,
-    salt,
-  });
+    const secretBlindIndex = await generateSecretBlindIndexWithSaltHelper({
+      secretName,
+      salt,
+    });
 
-  return secretBlindIndex;
+    return secretBlindIndex;
+  } else if (
+    encryptionKey &&
+    secretBlindIndexData.keyEncoding === ENCODING_SCHEME_UTF8
+  ) {
+    // decrypt workspace salt
+    salt = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secretBlindIndexData.encryptedSaltCiphertext,
+      iv: secretBlindIndexData.saltIV,
+      tag: secretBlindIndexData.saltTag,
+      key: encryptionKey,
+    });
+
+    const secretBlindIndex = await generateSecretBlindIndexWithSaltHelper({
+      secretName,
+      salt,
+    });
+
+    return secretBlindIndex;
+  }
+
+  throw InternalServerError({
+    message: "Failed to generate secret blind index",
+  });
 };
 
 /**
@@ -217,7 +308,7 @@ const generateSecretBlindIndexHelper = async ({
  * @param {AuthData} obj.authData - authentication data on request
  * @returns
  */
-const createSecretHelper = async ({
+export const createSecretHelper = async ({
   secretName,
   workspaceId,
   environment,
@@ -232,23 +323,38 @@ const createSecretHelper = async ({
   secretCommentCiphertext,
   secretCommentIV,
   secretCommentTag,
-  folderId,
+  secretPath = "/",
 }: CreateSecretParams) => {
+
   const secretBlindIndex = await generateSecretBlindIndexHelper({
     secretName,
     workspaceId: new Types.ObjectId(workspaceId),
   });
 
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
+
   const exists = await Secret.exists({
     secretBlindIndex,
     workspace: new Types.ObjectId(workspaceId),
+    folder: folderId,
     type,
     ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
   });
 
   if (exists)
     throw BadRequestError({
-      message: 'Failed to create secret that already exists',
+      message: "Failed to create secret that already exists",
     });
 
   if (type === SECRET_PERSONAL) {
@@ -257,6 +363,7 @@ const createSecretHelper = async ({
 
     const exists = await Secret.exists({
       secretBlindIndex,
+      folder: folderId,
       workspace: new Types.ObjectId(workspaceId),
       type: SECRET_SHARED,
     });
@@ -264,7 +371,7 @@ const createSecretHelper = async ({
     if (!exists)
       throw BadRequestError({
         message:
-          'Failed to create personal secret override for no corresponding shared secret',
+          "Failed to create personal secret override for no corresponding shared secret",
       });
   }
 
@@ -295,6 +402,7 @@ const createSecretHelper = async ({
     version: secret.version,
     workspace: secret.workspace,
     type,
+    folder: folderId,
     ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
     environment: secret.environment,
     isDeleted: false,
@@ -342,7 +450,7 @@ const createSecretHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets added',
+      event: "secrets added",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -350,6 +458,7 @@ const createSecretHelper = async ({
         numberOfSecrets: 1,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
@@ -367,31 +476,46 @@ const createSecretHelper = async ({
  * @param {AuthData} obj.authData - authentication data on request
  * @returns
  */
-const getSecretsHelper = async ({
+export const getSecretsHelper = async ({
   workspaceId,
   environment,
   authData,
+  secretPath = "/",
 }: GetSecretsParams) => {
   let secrets: ISecret[] = [];
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
 
   // get personal secrets first
   secrets = await Secret.find({
     workspace: new Types.ObjectId(workspaceId),
     environment,
+    folder: folderId,
     type: SECRET_PERSONAL,
     ...getAuthDataPayloadUserObj(authData),
-  });
+  }).lean();
 
   // concat with shared secrets
   secrets = secrets.concat(
     await Secret.find({
       workspace: new Types.ObjectId(workspaceId),
       environment,
+      folder: folderId,
       type: SECRET_SHARED,
       secretBlindIndex: {
         $nin: secrets.map((secret) => secret.secretBlindIndex),
       },
-    })
+    }).lean()
   );
 
   // (EE) create (audit) log
@@ -415,7 +539,7 @@ const getSecretsHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets pulled',
+      event: "secrets pulled",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -423,12 +547,13 @@ const getSecretsHelper = async ({
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
     });
   }
-
+  
   return secrets;
 };
 
@@ -442,27 +567,41 @@ const getSecretsHelper = async ({
  * @param {AuthData} obj.authData - authentication data on request
  * @returns
  */
-const getSecretHelper = async ({
+export const getSecretHelper = async ({
   secretName,
   workspaceId,
   environment,
   type,
   authData,
+  secretPath = "/",
 }: GetSecretParams) => {
   const secretBlindIndex = await generateSecretBlindIndexHelper({
     secretName,
     workspaceId: new Types.ObjectId(workspaceId),
   });
   let secret: ISecret | null = null;
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
 
   // try getting personal secret first (if exists)
   secret = await Secret.findOne({
     secretBlindIndex,
     workspace: new Types.ObjectId(workspaceId),
     environment,
+    folder: folderId,
     type: type ?? SECRET_PERSONAL,
     ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
-  });
+  }).lean();
 
   if (!secret) {
     // case: failed to find personal secret matching criteria
@@ -471,8 +610,9 @@ const getSecretHelper = async ({
       secretBlindIndex,
       workspace: new Types.ObjectId(workspaceId),
       environment,
+      folder: folderId,
       type: SECRET_SHARED,
-    });
+    }).lean();
   }
 
   if (!secret) throw SecretNotFoundError();
@@ -498,7 +638,7 @@ const getSecretHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets pull',
+      event: "secrets pull",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -506,12 +646,13 @@ const getSecretHelper = async ({
         numberOfSecrets: 1,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
     });
   }
-
+  
   return secret;
 };
 
@@ -528,7 +669,8 @@ const getSecretHelper = async ({
  * @param {AuthData} obj.authData - authentication data on request
  * @returns
  */
-const updateSecretHelper = async ({
+
+export const updateSecretHelper = async ({
   secretName,
   workspaceId,
   environment,
@@ -537,6 +679,7 @@ const updateSecretHelper = async ({
   secretValueCiphertext,
   secretValueIV,
   secretValueTag,
+  secretPath,
 }: UpdateSecretParams) => {
   const secretBlindIndex = await generateSecretBlindIndexHelper({
     secretName,
@@ -544,6 +687,18 @@ const updateSecretHelper = async ({
   });
 
   let secret: ISecret | null = null;
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
 
   if (type === SECRET_SHARED) {
     // case: update shared secret
@@ -552,6 +707,7 @@ const updateSecretHelper = async ({
         secretBlindIndex,
         workspace: new Types.ObjectId(workspaceId),
         environment,
+        folder: folderId,
         type,
       },
       {
@@ -573,6 +729,7 @@ const updateSecretHelper = async ({
         workspace: new Types.ObjectId(workspaceId),
         environment,
         type,
+        folder: folderId,
         ...getAuthDataPayloadUserObj(authData),
       },
       {
@@ -593,6 +750,7 @@ const updateSecretHelper = async ({
     secret: secret._id,
     version: secret.version,
     workspace: secret.workspace,
+    folder: folderId,
     type,
     ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
     environment: secret.environment,
@@ -641,7 +799,7 @@ const updateSecretHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets modified',
+      event: "secrets modified",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -649,6 +807,7 @@ const updateSecretHelper = async ({
         numberOfSecrets: 1,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
@@ -668,18 +827,33 @@ const updateSecretHelper = async ({
  * @param {AuthData} obj.authData - authentication data on request
  * @returns
  */
-const deleteSecretHelper = async ({
+export const deleteSecretHelper = async ({
   secretName,
   workspaceId,
   environment,
   type,
   authData,
+  secretPath = "/",
 }: DeleteSecretParams) => {
   const secretBlindIndex = await generateSecretBlindIndexHelper({
     secretName,
     workspaceId: new Types.ObjectId(workspaceId),
   });
 
+  // if using service token filter towards the folderId by secretpath
+  if (authData.authPayload instanceof ServiceTokenData) {
+    const { secretPath: serviceTkScopedSecretPath } = authData.authPayload;
+    
+    if (secretPath !== serviceTkScopedSecretPath) {
+      throw UnauthorizedRequestError({ message: "Folder Permission Denied" });
+    }
+  }
+  const folderId = await getFolderIdFromServiceToken(
+    workspaceId,
+    environment,
+    secretPath
+  );
+
   let secrets: ISecret[] = [];
   let secret: ISecret | null = null;
 
@@ -688,28 +862,32 @@ const deleteSecretHelper = async ({
       secretBlindIndex,
       workspaceId: new Types.ObjectId(workspaceId),
       environment,
-    });
+      folder: folderId,
+    }).lean();
 
     secret = await Secret.findOneAndDelete({
       secretBlindIndex,
       workspaceId: new Types.ObjectId(workspaceId),
       environment,
       type,
-    });
+      folder: folderId,
+    }).lean();
 
     await Secret.deleteMany({
       secretBlindIndex,
       workspaceId: new Types.ObjectId(workspaceId),
       environment,
+      folder: folderId,
     });
   } else {
     secret = await Secret.findOneAndDelete({
       secretBlindIndex,
+      folder: folderId,
       workspaceId: new Types.ObjectId(workspaceId),
       environment,
       type,
       ...getAuthDataPayloadUserObj(authData),
-    });
+    }).lean();
 
     if (secret) {
       secrets = [secret];
@@ -730,9 +908,7 @@ const deleteSecretHelper = async ({
     secretIds: secrets.map((secret) => secret._id),
   });
 
-  // (EE) take a secret snapshot
-  action &&
-    (await EELogService.createLog({
+  action && (await EELogService.createLog({
       ...getAuthDataPayloadIdObj(authData),
       workspaceId,
       actions: [action],
@@ -751,7 +927,7 @@ const deleteSecretHelper = async ({
 
   if (postHogClient) {
     postHogClient.capture({
-      event: 'secrets deleted',
+      event: "secrets deleted",
       distinctId: await TelemetryService.getDistinctId({
         authData,
       }),
@@ -759,26 +935,15 @@ const deleteSecretHelper = async ({
         numberOfSecrets: secrets.length,
         environment,
         workspaceId,
+        folderId,
         channel: authData.authChannel,
         userAgent: authData.authUserAgent,
       },
     });
   }
-
-  return {
+  
+  return ({
     secrets,
-    secret,
-  };
-};
-
-export {
-  createSecretBlindIndexDataHelper,
-  getSecretBlindIndexSaltHelper,
-  generateSecretBlindIndexWithSaltHelper,
-  generateSecretBlindIndexHelper,
-  createSecretHelper,
-  getSecretsHelper,
-  getSecretHelper,
-  updateSecretHelper,
-  deleteSecretHelper,
+    secret
+  });
 };

backend/src/helpers/signup.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { IUser } from '../models';
 import { createOrganization } from './organization';
 import { addMembershipsOrg } from './membershipOrg';
@@ -14,29 +13,21 @@ import { TOKEN_EMAIL_CONFIRMATION } from '../variables';
  * @param {String} obj.email - email
  * @returns {Boolean} success - whether or not operation was successful
  */
-const sendEmailVerification = async ({ email }: { email: string }) => {
-	try {
-		const token = await TokenService.createToken({
-			type: TOKEN_EMAIL_CONFIRMATION,
-			email
-		});
+export const sendEmailVerification = async ({ email }: { email: string }) => {
+	const token = await TokenService.createToken({
+		type: TOKEN_EMAIL_CONFIRMATION,
+		email
+	});
 
-		// send mail
-		await sendMail({
-			template: 'emailVerification.handlebars',
-			subjectLine: 'Infisical confirmation code',
-			recipients: [email],
-			substitutions: {
-				code: token
-			}
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error(
-			"Ouch. We weren't able to send your email verification code"
-		);
-	}
+  // send mail
+  await sendMail({
+    template: 'emailVerification.handlebars',
+    subjectLine: 'Infisical confirmation code',
+    recipients: [email],
+    substitutions: {
+      code: token
+    }
+  });
 };
 
 /**
@@ -45,24 +36,18 @@ const sendEmailVerification = async ({ email }: { email: string }) => {
  * @param {String} obj.email - emai
  * @param {String} obj.code - code that was sent to [email]
  */
-const checkEmailVerification = async ({
+export const checkEmailVerification = async ({
 	email,
 	code
 }: {
 	email: string;
 	code: string;
 }) => {
-	try {
-		await TokenService.validateToken({
-			type: TOKEN_EMAIL_CONFIRMATION,
-			email,
-			token: code
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error("Oops. We weren't able to verify");
-	}
+  await TokenService.validateToken({
+    type: TOKEN_EMAIL_CONFIRMATION,
+    email,
+    token: code
+  });
 };
 
 /**
@@ -72,7 +57,7 @@ const checkEmailVerification = async ({
  * @param {String} obj.organizationName - name of organization to initialize
  * @param {IUser} obj.user - user who we are initializing for
  */
-const initializeDefaultOrg = async ({
+export const initializeDefaultOrg = async ({
 	organizationName,
 	user
 }: {
@@ -96,6 +81,4 @@ const initializeDefaultOrg = async ({
 	} catch (err) {
 		throw new Error(`Failed to initialize default organization and workspace [err=${err}]`);
 	}
-};
-
-export { sendEmailVerification, checkEmailVerification, initializeDefaultOrg };
+};

backend/src/helpers/token.ts

@@ -20,7 +20,7 @@ import { getSaltRounds } from "../config";
  * @param {Types.ObjectId} obj.organizationId
  * @returns {String} token - the created token
  */
-const createTokenHelper = async ({
+export const createTokenHelper = async ({
   type,
   email,
   phoneNumber,
@@ -121,7 +121,7 @@ const createTokenHelper = async ({
  * @param {String} obj.email - email associated with the token
  * @param {String} obj.token - value of the token
  */
-const validateTokenHelper = async ({
+export const validateTokenHelper = async ({
   type,
   email,
   phoneNumber,
@@ -212,6 +212,4 @@ const validateTokenHelper = async ({
 
   // case: token is valid
   await TokenData.findByIdAndDelete(tokenData._id);
-};
-
-export { createTokenHelper, validateTokenHelper };
+};

backend/src/helpers/workspace.ts

@@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import {
 	Workspace,
 	Bot,
@@ -7,6 +6,7 @@ import {
 	Secret
 } from '../models';
 import { createBot } from '../helpers/bot';
+import { EELicenseService } from '../ee/services';
 import { SecretService } from '../services';
 
 /**
@@ -16,38 +16,32 @@ import { SecretService } from '../services';
  * @param {String} organizationId - id of organization to create workspace in
  * @param {Object} workspace - new workspace
  */
-const createWorkspace = async ({
+export const createWorkspace = async ({
 	name,
 	organizationId
 }: {
 	name: string;
 	organizationId: string;
 }) => {
-	let workspace;
-	try {
-		// create workspace
-		workspace = await new Workspace({
-			name,
-			organization: organizationId,
-			autoCapitalization: true
-		}).save();
-		
-		// initialize bot for workspace
-		await createBot({
-			name: 'Infisical Bot',
-			workspaceId: workspace._id
-		});
-		
-		// initialize blind index salt for workspace
-		await SecretService.createSecretBlindIndexData({
-			workspaceId: workspace._id
-		});
+	// create workspace
+	const workspace = await new Workspace({
+		name,
+		organization: organizationId,
+		autoCapitalization: true
+	}).save();
+  
+	// initialize bot for workspace
+	await createBot({
+		name: 'Infisical Bot',
+		workspaceId: workspace._id
+	});
+  
+	// initialize blind index salt for workspace
+	await SecretService.createSecretBlindIndexData({
+		workspaceId: workspace._id
+	});
 
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create workspace');
-	}
+	await EELicenseService.refreshPlan(organizationId);
 
 	return workspace;
 };
@@ -58,29 +52,18 @@ const createWorkspace = async ({
  * @param {Object} obj
  * @param {String} obj.id - id of workspace to delete
  */
-const deleteWorkspace = async ({ id }: { id: string }) => {
-	try {
-		await Workspace.deleteOne({ _id: id });
-		await Bot.deleteOne({
-			workspace: id
-		});
-		await Membership.deleteMany({
-			workspace: id
-		});
-		await Secret.deleteMany({
-			workspace: id
-		});
-		await Key.deleteMany({
-			workspace: id
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to delete workspace');
-	}
-};
-
-export {
-	createWorkspace, 
-	deleteWorkspace 
+export const deleteWorkspace = async ({ id }: { id: string }) => {
+	await Workspace.deleteOne({ _id: id });
+	await Bot.deleteOne({
+		workspace: id
+	});
+	await Membership.deleteMany({
+		workspace: id
+	});
+	await Secret.deleteMany({
+		workspace: id
+	});
+	await Key.deleteMany({
+		workspace: id
+	});
 };

backend/src/index.ts

@@ -1,6 +1,8 @@
 import dotenv from "dotenv";
 dotenv.config();
 import express from "express";
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+require('express-async-errors');
 import helmet from "helmet";
 import cors from "cors";
 import { DatabaseService } from "./services";
@@ -11,7 +13,6 @@ import swaggerUi = require("swagger-ui-express");
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const swaggerFile = require("../spec.json");
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const requestIp = require("request-ip");
 import { apiLimiter } from "./helpers/rateLimiter";
 import {
   workspace as eeWorkspaceRouter,
@@ -84,8 +85,6 @@ const main = async () => {
     })
   );
 
-  app.use(requestIp.mw());
-
   if ((await getNodeEnv()) === "production") {
     // enable app-wide rate-limiting + helmet security
     // in production
@@ -94,6 +93,13 @@ const main = async () => {
     app.use(helmet());
   }
 
+  app.use((req, res, next) => {
+    // default to IP address provided by Cloudflare
+    const cfIp = req.headers['cf-connecting-ip'];
+    req.realIP = Array.isArray(cfIp) ? cfIp[0] : (cfIp as string) || req.ip;
+    next();
+  });
+
   // (EE) routes
   app.use("/api/v1/secret", eeSecretRouter);
   app.use("/api/v1/secret-snapshot", eeSecretSnapshotRouter);

backend/src/integrations/apps.ts

@@ -16,6 +16,7 @@ import {
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
   INTEGRATION_SUPABASE,
+  INTEGRATION_CHECKLY,
   INTEGRATION_HEROKU_API_URL,
   INTEGRATION_GITLAB_API_URL,
   INTEGRATION_VERCEL_API_URL,
@@ -26,6 +27,7 @@ import {
   INTEGRATION_CIRCLECI_API_URL,
   INTEGRATION_TRAVISCI_API_URL,
   INTEGRATION_SUPABASE_API_URL,
+  INTEGRATION_CHECKLY_API_URL
 } from "../variables";
 
 interface App {
@@ -120,6 +122,11 @@ const getApps = async ({
         accessToken,
       });
       break;
+    case INTEGRATION_CHECKLY:
+      apps = await getAppsCheckly({
+        accessToken,
+      });
+      break;
   }
 
   return apps;
@@ -601,4 +608,32 @@ const getAppsSupabase = async ({ accessToken }: { accessToken: string }) => {
   return apps;
 };
 
+/**
+ * Return list of projects for the Checkly integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - api key for the Checkly API
+ * @returns {Object[]} apps - Сheckly accounts
+ * @returns {String} apps.name - name of Checkly account
+ */
+const getAppsCheckly = async ({ accessToken }: { accessToken: string }) => {
+  const { data } = await standardRequest.get(
+    `${INTEGRATION_CHECKLY_API_URL}/v1/accounts`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept": "application/json",
+      },
+    }
+  );
+
+  const apps = data.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id,
+    };
+  });
+
+  return apps;
+};
+
 export { getApps };

backend/src/interfaces/middleware/index.ts

@@ -1,3 +1,4 @@
+import { Types } from 'mongoose';
 import {
     IUser,
     IServiceAccount,
@@ -10,4 +11,5 @@ export interface AuthData {
     authChannel: string;
     authIP: string;
     authUserAgent: string;
+    tokenVersionId?: Types.ObjectId;
 }

backend/src/interfaces/services/SecretService/index.ts

@@ -5,7 +5,6 @@ export interface CreateSecretParams {
   secretName: string;
   workspaceId: Types.ObjectId;
   environment: string;
-  folderId?: string;
   type: "shared" | "personal";
   authData: AuthData;
   secretKeyCiphertext: string;
@@ -17,17 +16,20 @@ export interface CreateSecretParams {
   secretCommentCiphertext?: string;
   secretCommentIV?: string;
   secretCommentTag?: string;
+  secretPath: string;
 }
 
 export interface GetSecretsParams {
   workspaceId: Types.ObjectId;
   environment: string;
+  secretPath: string;
   authData: AuthData;
 }
 
 export interface GetSecretParams {
   secretName: string;
   workspaceId: Types.ObjectId;
+  secretPath: string;
   environment: string;
   type?: "shared" | "personal";
   authData: AuthData;
@@ -42,7 +44,7 @@ export interface UpdateSecretParams {
   secretValueCiphertext: string;
   secretValueIV: string;
   secretValueTag: string;
-  folderId?: string;
+  secretPath: string;
 }
 
 export interface DeleteSecretParams {
@@ -51,4 +53,5 @@ export interface DeleteSecretParams {
   environment: string;
   type: "shared" | "personal";
   authData: AuthData;
+  secretPath: string;
 }

backend/src/middleware/requestErrorHandler.ts

@@ -3,6 +3,7 @@ import { ErrorRequestHandler } from 'express';
 import { InternalServerError } from '../utils/errors';
 import { getLogger } from '../utils/logger';
 import RequestError, { LogLevel } from '../utils/requestError';
+import { getNodeEnv } from '../config';
 
 export const requestErrorHandler: ErrorRequestHandler = async (
   error: RequestError | Error,
@@ -12,6 +13,11 @@ export const requestErrorHandler: ErrorRequestHandler = async (
 ) => {
   if (res.headersSent) return next();
 
+  if (await getNodeEnv() !== "production") {
+    /* eslint-disable no-console */
+    console.error(error);
+  }
+
   //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
   if (!(error instanceof RequestError)) {
     error = InternalServerError({

backend/src/middleware/requireAuth.ts

@@ -71,10 +71,12 @@ const requireAuth = ({
 				req.user = authPayload;
 				break;
 			default:
-				authPayload = await getAuthUserPayload({
+				const { user, tokenVersionId } = await getAuthUserPayload({
 					authTokenValue
 				});
-				req.user = authPayload;
+				authPayload = user;
+				req.user = user;
+				req.tokenVersionId = tokenVersionId;
 				break;
 		}
 
@@ -88,8 +90,9 @@ const requireAuth = ({
 			authMode,
 			authPayload, // User, ServiceAccount, ServiceTokenData
 			authChannel: getChannelFromUserAgent(req.headers['user-agent']),
-			authIP: req.ip,
-			authUserAgent: req.headers['user-agent'] ?? 'other'
+			authIP: req.realIP,
+			authUserAgent: req.headers['user-agent'] ?? 'other',
+			tokenVersionId: req.tokenVersionId
 		}
 
 		return next();

backend/src/middleware/requireWorkspaceAuth.ts

@@ -16,13 +16,15 @@ const requireWorkspaceAuth = ({
 	locationWorkspaceId,
 	locationEnvironment = undefined,
 	requiredPermissions = [],
-	requireBlindIndicesEnabled = false
+	requireBlindIndicesEnabled = false,
+	requireE2EEOff = false
 }: {
 	acceptedRoles: Array<'admin' | 'member'>;
 	locationWorkspaceId: req;
 	locationEnvironment?: req | undefined;
 	requiredPermissions?: string[];
 	requireBlindIndicesEnabled?: boolean;
+	requireE2EEOff?: boolean;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
 		const workspaceId = req[locationWorkspaceId]?.workspaceId;
@@ -35,7 +37,8 @@ const requireWorkspaceAuth = ({
 			environment,
 			acceptedRoles,
 			requiredPermissions,
-			requireBlindIndicesEnabled
+			requireBlindIndicesEnabled,
+			requireE2EEOff
 		});
 		
 		if (membership) {

backend/src/models/index.ts

@@ -22,6 +22,7 @@ import Workspace, { IWorkspace } from './workspace';
 import ServiceTokenData, { IServiceTokenData } from './serviceTokenData';
 import APIKeyData, { IAPIKeyData } from './apiKeyData';
 import LoginSRPDetail, { ILoginSRPDetail } from './loginSRPDetail';
+import TokenVersion, { ITokenVersion } from './tokenVersion';
 
 export {
 	AuthProvider,
@@ -72,5 +73,7 @@ export {
 	APIKeyData,
 	IAPIKeyData,
 	LoginSRPDetail,
-	ILoginSRPDetail
+	ILoginSRPDetail,
+	TokenVersion,
+	ITokenVersion
 };

backend/src/models/integration.ts

@@ -13,7 +13,9 @@ import {
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
-  INTEGRATION_SUPABASE
+  INTEGRATION_SUPABASE,
+  INTEGRATION_CHECKLY,
+  INTEGRATION_HASHICORP_VAULT
 } from "../variables";
 
 export interface IIntegration {
@@ -45,7 +47,9 @@ export interface IIntegration {
     | 'flyio'
     | 'circleci'
     | 'travisci'
-    | 'supabase';
+    | 'supabase'
+    | 'checkly'
+    | 'hashicorp-vault';
   integrationAuth: Types.ObjectId;
 }
 
@@ -130,7 +134,9 @@ const integrationSchema = new Schema<IIntegration>(
         INTEGRATION_FLYIO,
         INTEGRATION_CIRCLECI,
         INTEGRATION_TRAVISCI,
-        INTEGRATION_SUPABASE
+        INTEGRATION_SUPABASE,
+        INTEGRATION_CHECKLY,
+        INTEGRATION_HASHICORP_VAULT
       ],
       required: true,
     },

backend/src/models/integrationAuth.ts

@@ -14,6 +14,7 @@ import {
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
   INTEGRATION_SUPABASE,
+  INTEGRATION_HASHICORP_VAULT,
   ALGORITHM_AES_256_GCM,
   ENCODING_SCHEME_UTF8,
   ENCODING_SCHEME_BASE64
@@ -22,9 +23,11 @@ import {
 export interface IIntegrationAuth extends Document {
   _id: Types.ObjectId;
   workspace: Types.ObjectId;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'gitlab' | 'render' | 'railway' | 'flyio' | 'azure-key-vault' | 'circleci' | 'travisci' | 'supabase' | 'aws-parameter-store' | 'aws-secret-manager';
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'gitlab' | 'render' | 'railway' | 'flyio' | 'azure-key-vault' | 'circleci' | 'travisci' | 'supabase' | 'aws-parameter-store' | 'aws-secret-manager' | 'checkly';
   teamId: string;
   accountId: string;
+  url: string;
+  namespace: string;
   refreshCiphertext?: string;
   refreshIV?: string;
   refreshTag?: string;
@@ -62,7 +65,8 @@ const integrationAuthSchema = new Schema<IIntegrationAuth>(
         INTEGRATION_FLYIO,
         INTEGRATION_CIRCLECI,
         INTEGRATION_TRAVISCI,
-        INTEGRATION_SUPABASE
+        INTEGRATION_SUPABASE,
+        INTEGRATION_HASHICORP_VAULT
       ],
       required: true,
     },
@@ -70,6 +74,14 @@ const integrationAuthSchema = new Schema<IIntegrationAuth>(
       // vercel-specific integration param
       type: String,
     },
+    url: {
+      // for any self-hosted integrations (e.g. self-hosted hashicorp-vault)
+      type: String
+    },
+    namespace: {
+      // hashicorp-vault-specific integration param
+      type: String
+    },
     accountId: {
       // netlify-specific integration param
       type: String,

backend/src/models/serviceTokenData.ts

@@ -1,79 +1,88 @@
-import { Schema, model, Types, Document } from 'mongoose';
+import { Schema, model, Types, Document } from "mongoose";
 
 export interface IServiceTokenData extends Document {
-    _id: Types.ObjectId;
-    name: string;
-    workspace: Types.ObjectId;
-    environment: string;
-    user: Types.ObjectId;
-    serviceAccount: Types.ObjectId;
-    lastUsed: Date;
-    expiresAt: Date;
-    secretHash: string;
-    encryptedKey: string;
-    iv: string;
-    tag: string;
-    permissions: string[];
+  _id: Types.ObjectId;
+  name: string;
+  workspace: Types.ObjectId;
+  environment: string;
+  user: Types.ObjectId;
+  serviceAccount: Types.ObjectId;
+  lastUsed: Date;
+  expiresAt: Date;
+  secretHash: string;
+  encryptedKey: string;
+  iv: string;
+  tag: string;
+  secretPath: string;
+  permissions: string[];
 }
 
 const serviceTokenDataSchema = new Schema<IServiceTokenData>(
-    {
-        name: {
-            type: String,
-            required: true
-        },
-        workspace: {
-            type: Schema.Types.ObjectId,
-            ref: 'Workspace',
-            required: true
-        },
-        environment: {
-            type: String,
-            required: true
-        },
-        user: {
-            type: Schema.Types.ObjectId,
-            ref: 'User',
-            required: true
-        },
-        serviceAccount: {
-            type: Schema.Types.ObjectId,
-            ref: 'ServiceAccount'
-        },
-        lastUsed: {
-            type: Date
-        },
-        expiresAt: {
-            type: Date
-        },
-        secretHash: {
-            type: String,
-            required: true,
-            select: false
-        },
-        encryptedKey: {
-            type: String,
-            select: false
-        },
-        iv: {
-            type: String,
-            select: false
-        },
-        tag: {
-            type: String,
-            select: false
-        },
-        permissions: {
-            type: [String],
-            enum: ['read', 'write'],
-            default: ['read']
-        }
-    }, 
-    {
-        timestamps: true
-    }
+  {
+    name: {
+      type: String,
+      required: true,
+    },
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
+    },
+    environment: {
+      type: String,
+      required: true,
+    },
+    user: {
+      type: Schema.Types.ObjectId,
+      ref: "User",
+      required: true,
+    },
+    serviceAccount: {
+      type: Schema.Types.ObjectId,
+      ref: "ServiceAccount",
+    },
+    lastUsed: {
+      type: Date,
+    },
+    expiresAt: {
+      type: Date,
+    },
+    secretHash: {
+      type: String,
+      required: true,
+      select: false,
+    },
+    encryptedKey: {
+      type: String,
+      select: false,
+    },
+    iv: {
+      type: String,
+      select: false,
+    },
+    tag: {
+      type: String,
+      select: false,
+    },
+    permissions: {
+      type: [String],
+      enum: ["read", "write"],
+      default: ["read"],
+    },
+    secretPath: {
+      type: String,
+      default: "/",
+      required: true,
+    },
+  },
+  {
+    timestamps: true,
+  }
+);
+
+const ServiceTokenData = model<IServiceTokenData>(
+  "ServiceTokenData",
+  serviceTokenDataSchema
 );
 
-const ServiceTokenData = model<IServiceTokenData>('ServiceTokenData', serviceTokenDataSchema);
-    
 export default ServiceTokenData;

backend/src/models/tokenVersion.ts

@@ -0,0 +1,47 @@
+import { Schema, model, Types, Document } from 'mongoose';
+
+export interface ITokenVersion extends Document {
+    user: Types.ObjectId;
+    ip: string;
+    userAgent: string;
+    refreshVersion: number;
+    accessVersion: number;
+    lastUsed: Date;
+}
+
+const tokenVersionSchema = new Schema<ITokenVersion>(
+    {
+        user: {
+            type: Schema.Types.ObjectId,
+            ref: 'User',
+            required: true
+        },
+        ip: {
+            type: String,
+            required: true
+        },
+        userAgent: {
+            type: String,
+            required: true
+        },
+        refreshVersion: {
+            type: Number,
+            required: true
+        },
+        accessVersion: {
+            type: Number,
+            required: true
+        },
+        lastUsed: {
+            type: Date,
+            required: true
+        }
+    },
+    {
+        timestamps: true
+    }
+);
+
+const TokenVersion = model<ITokenVersion>('TokenVersion', tokenVersionSchema);
+
+export default TokenVersion;

backend/src/models/user.ts

@@ -21,7 +21,6 @@ export interface IUser extends Document {
 	tag?: string;
 	salt?: string;
 	verifier?: string;
-	refreshVersion?: number;
 	isMfaEnabled: boolean;
 	mfaMethods: boolean;
 	devices: {
@@ -91,11 +90,6 @@ const userSchema = new Schema<IUser>(
 			type: String,
 			select: false
 		},
-		refreshVersion: {
-			type: Number,
-			default: 0,
-			select: false
-		},
 		isMfaEnabled: {
 			type: Boolean,
 			default: false
@@ -108,7 +102,8 @@ const userSchema = new Schema<IUser>(
 				ip: String,
 				userAgent: String
 			}],
-			default: []
+			default: [],
+			select: false
 		}
 	}, 
 	{

backend/src/models/workspace.ts

@@ -37,10 +37,6 @@ const workspaceSchema = new Schema<IWorkspace>({
 				name: "Development",
 				slug: "dev"
 			},
-			{
-				name: "Test",
-				slug: "test"
-			},
 			{
 				name: "Staging",
 				slug: "staging"

backend/src/routes/v1/auth.ts

@@ -44,8 +44,6 @@ router.post(
   authController.checkAuth
 );
 
-
-
 router.get(
   '/redirect/google',
   authLimiter,
@@ -53,12 +51,27 @@ router.get(
     scope: ['profile', 'email'],
     session: false,
   }),
-)
+);
 
 router.get(
   '/callback/google',
   passport.authenticate('google', { failureRedirect: '/login/provider/error', session: false }),
   authController.handleAuthProviderCallback,
-)
+);
+
+router.get(
+  '/common-passwords',
+  authLimiter,
+  authController.getCommonPasswords
+);
+
+router.delete(
+  '/sessions',
+  authLimiter,
+  requireAuth({
+    acceptedAuthModes: [AUTH_MODE_JWT]
+  }), 
+  authController.revokeAllSessions
+);
 
 export default router;

backend/src/routes/v1/integration.ts

@@ -15,7 +15,7 @@ import {
 import { body, param } from 'express-validator';
 import { integrationController } from '../../controllers/v1';
 
-router.post( // new: add new integration for integration auth
+router.post(
 	'/',
 	requireAuth({
         acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_API_KEY]

backend/src/routes/v1/integrationAuth.ts

@@ -57,6 +57,8 @@ router.post(
 	body('workspaceId').exists().trim().notEmpty(),
 	body('accessId').trim(),
 	body('accessToken').exists().trim().notEmpty(),
+	body('url').trim(),
+	body('namespace').trim(),
 	body('integration').exists().trim().notEmpty(),
 	validateRequest,
 	requireAuth({

backend/src/routes/v2/auth.ts

@@ -26,7 +26,7 @@ router.post(
 router.post(
   '/mfa/send',
   authLimiter,
-  body('email').isString().trim().notEmpty(),
+  body('email').isString().trim().notEmpty().isEmail(),
   validateRequest,
   authController.sendMfaToken
 );

backend/src/routes/v2/secrets.ts

@@ -1,15 +1,15 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import {
   requireAuth,
   requireWorkspaceAuth,
   requireSecretsAuth,
   validateRequest,
-} from '../../middleware';
-import { validateClientForSecrets } from '../../validation';
-import { query, body } from 'express-validator';
-import { secretsController } from '../../controllers/v2';
+} from "../../middleware";
+import { validateClientForSecrets } from "../../validation";
+import { query, body } from "express-validator";
+import { secretsController } from "../../controllers/v2";
 import {
   ADMIN,
   MEMBER,
@@ -21,11 +21,11 @@ import {
   AUTH_MODE_SERVICE_ACCOUNT,
   AUTH_MODE_SERVICE_TOKEN,
   AUTH_MODE_API_KEY,
-} from '../../variables';
-import { BatchSecretRequest } from '../../types/secret';
+} from "../../variables";
+import { BatchSecretRequest } from "../../types/secret";
 
 router.post(
-  '/batch',
+  "/batch",
   requireAuth({
     acceptedAuthModes: [
       AUTH_MODE_JWT,
@@ -35,12 +35,13 @@ router.post(
   }),
   requireWorkspaceAuth({
     acceptedRoles: [ADMIN, MEMBER],
-    locationWorkspaceId: 'body',
+    locationWorkspaceId: "body",
   }),
-  body('workspaceId').exists().isString().trim(),
-  body('folderId').default('root').isString().trim(),
-  body('environment').exists().isString().trim(),
-  body('requests')
+  body("workspaceId").exists().isString().trim(),
+  body("folderId").default("root").isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("secretPath").optional().isString().trim(),
+  body("requests")
     .exists()
     .custom(async (requests: BatchSecretRequest[], { req }) => {
       if (Array.isArray(requests)) {
@@ -65,17 +66,18 @@ router.post(
 );
 
 router.post(
-  '/',
-  body('workspaceId').exists().isString().trim(),
-  body('environment').exists().isString().trim(),
-  body('folderId').default('root').isString().trim(),
-  body('secrets')
+  "/",
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("folderId").default("root").isString().trim(),
+  body("secretPath").optional().isString().trim(),
+  body("secrets")
     .exists()
     .custom((value) => {
       if (Array.isArray(value)) {
         // case: create multiple secrets
         if (value.length === 0)
-          throw new Error('secrets cannot be an empty array');
+          throw new Error("secrets cannot be an empty array");
         for (const secret of value) {
           if (
             !secret.type ||
@@ -85,16 +87,16 @@ router.post(
             !secret.secretKeyCiphertext ||
             !secret.secretKeyIV ||
             !secret.secretKeyTag ||
-            typeof secret.secretValueCiphertext !== 'string' ||
+            typeof secret.secretValueCiphertext !== "string" ||
             !secret.secretValueIV ||
             !secret.secretValueTag
           ) {
             throw new Error(
-              'secrets array must contain objects that have required secret properties'
+              "secrets array must contain objects that have required secret properties"
             );
           }
         }
-      } else if (typeof value === 'object') {
+      } else if (typeof value === "object") {
         // case: update 1 secret
         if (
           !value.type ||
@@ -107,11 +109,11 @@ router.post(
           !value.secretValueTag
         ) {
           throw new Error(
-            'secrets object is missing required secret properties'
+            "secrets object is missing required secret properties"
           );
         }
       } else {
-        throw new Error('secrets must be an object or an array of objects');
+        throw new Error("secrets must be an object or an array of objects");
       }
 
       return true;
@@ -126,19 +128,20 @@ router.post(
   }),
   requireWorkspaceAuth({
     acceptedRoles: [ADMIN, MEMBER],
-    locationWorkspaceId: 'body',
-    locationEnvironment: 'body',
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
     requiredPermissions: [PERMISSION_WRITE_SECRETS],
   }),
   secretsController.createSecrets
 );
 
 router.get(
-  '/',
-  query('workspaceId').exists().trim(),
-  query('environment').exists().trim(),
-  query('tagSlugs'),
-  query('folderId').default('root').isString().trim(),
+  "/",
+  query("workspaceId").exists().trim(),
+  query("environment").exists().trim(),
+  query("tagSlugs"),
+  query("folderId").default("root").isString().trim(),
+  query("secretPath").optional().isString().trim(),
   validateRequest,
   requireAuth({
     acceptedAuthModes: [
@@ -150,34 +153,34 @@ router.get(
   }),
   requireWorkspaceAuth({
     acceptedRoles: [ADMIN, MEMBER],
-    locationWorkspaceId: 'query',
-    locationEnvironment: 'query',
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
     requiredPermissions: [PERMISSION_READ_SECRETS],
   }),
   secretsController.getSecrets
 );
 
 router.patch(
-  '/',
-  body('secrets')
+  "/",
+  body("secrets")
     .exists()
     .custom((value) => {
       if (Array.isArray(value)) {
         // case: update multiple secrets
         if (value.length === 0)
-          throw new Error('secrets cannot be an empty array');
+          throw new Error("secrets cannot be an empty array");
         for (const secret of value) {
           if (!secret.id) {
-            throw new Error('Each secret must contain a ID property');
+            throw new Error("Each secret must contain a ID property");
           }
         }
-      } else if (typeof value === 'object') {
+      } else if (typeof value === "object") {
         // case: update 1 secret
         if (!value.id) {
-          throw new Error('secret must contain a ID property');
+          throw new Error("secret must contain a ID property");
         }
       } else {
-        throw new Error('secrets must be an object or an array of objects');
+        throw new Error("secrets must be an object or an array of objects");
       }
 
       return true;
@@ -198,21 +201,21 @@ router.patch(
 );
 
 router.delete(
-  '/',
-  body('secretIds')
+  "/",
+  body("secretIds")
     .exists()
     .custom((value) => {
       // case: delete 1 secret
-      if (typeof value === 'string') return true;
+      if (typeof value === "string") return true;
 
       if (Array.isArray(value)) {
         // case: delete multiple secrets
         if (value.length === 0)
-          throw new Error('secrets cannot be an empty array');
-        return value.every((id: string) => typeof id === 'string');
+          throw new Error("secrets cannot be an empty array");
+        return value.every((id: string) => typeof id === "string");
       }
 
-      throw new Error('secretIds must be a string or an array of strings');
+      throw new Error("secretIds must be a string or an array of strings");
     })
     .not()
     .isEmpty(),

backend/src/routes/v2/serviceTokenData.ts

@@ -1,72 +1,79 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-    requireAuth,
-    requireWorkspaceAuth,
-    requireServiceTokenDataAuth,
-    validateRequest
-} from '../../middleware';
-import { param, body } from 'express-validator';
+  requireAuth,
+  requireWorkspaceAuth,
+  requireServiceTokenDataAuth,
+  validateRequest,
+} from "../../middleware";
+import { param, body } from "express-validator";
 import {
-    ADMIN,
-    MEMBER,
-    PERMISSION_WRITE_SECRETS,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN
-} from '../../variables';
-import { serviceTokenDataController } from '../../controllers/v2';
+  ADMIN,
+  MEMBER,
+  PERMISSION_WRITE_SECRETS,
+  AUTH_MODE_JWT,
+  AUTH_MODE_SERVICE_ACCOUNT,
+  AUTH_MODE_SERVICE_TOKEN,
+} from "../../variables";
+import { serviceTokenDataController } from "../../controllers/v2";
 
 router.get(
-    '/',
-    requireAuth({
-        acceptedAuthModes: [AUTH_MODE_SERVICE_TOKEN]
-    }),
-    serviceTokenDataController.getServiceTokenData
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AUTH_MODE_SERVICE_TOKEN],
+  }),
+  serviceTokenDataController.getServiceTokenData
 );
 
 router.post(
-    '/',
-	requireAuth({
-		acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT]
-	}),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS]
-    }),
-    body('name').exists().isString().trim(),
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('encryptedKey').exists().isString().trim(),
-    body('iv').exists().isString().trim(),
-    body('tag').exists().isString().trim(),
-    body('expiresIn').exists().isNumeric(), // measured in ms
-    body('permissions').isArray({ min: 1 }).custom((value: string[]) => {
-        const allowedPermissions = ['read', 'write'];
-        const invalidValues = value.filter((v) => !allowedPermissions.includes(v));
-        if (invalidValues.length > 0) {
-            throw new Error(`permissions contains invalid values: ${invalidValues.join(', ')}`);
-        }
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AUTH_MODE_JWT, AUTH_MODE_SERVICE_ACCOUNT],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+  }),
+  body("name").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("encryptedKey").exists().isString().trim(),
+  body("iv").exists().isString().trim(),
+  body("secretPath").isString().default("/").trim(),
+  body("tag").exists().isString().trim(),
+  body("expiresIn").exists().isNumeric(), // measured in ms
+  body("permissions")
+    .isArray({ min: 1 })
+    .custom((value: string[]) => {
+      const allowedPermissions = ["read", "write"];
+      const invalidValues = value.filter(
+        (v) => !allowedPermissions.includes(v)
+      );
+      if (invalidValues.length > 0) {
+        throw new Error(
+          `permissions contains invalid values: ${invalidValues.join(", ")}`
+        );
+      }
 
-        return true
+      return true;
     }),
-    validateRequest,
-    serviceTokenDataController.createServiceTokenData
+  validateRequest,
+  serviceTokenDataController.createServiceTokenData
 );
 
 router.delete(
-    '/:serviceTokenDataId',
-	requireAuth({
-		acceptedAuthModes: [AUTH_MODE_JWT]
-	}),
-    requireServiceTokenDataAuth({
-        acceptedRoles: [ADMIN, MEMBER]
-    }),
-    param('serviceTokenDataId').exists().trim(),
-    validateRequest,
-    serviceTokenDataController.deleteServiceTokenData
+  "/:serviceTokenDataId",
+  requireAuth({
+    acceptedAuthModes: [AUTH_MODE_JWT],
+  }),
+  requireServiceTokenDataAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+  }),
+  param("serviceTokenDataId").exists().trim(),
+  validateRequest,
+  serviceTokenDataController.deleteServiceTokenData
 );
 
-export default router;
+export default router;

backend/src/routes/v3/secrets.ts

@@ -1,157 +1,301 @@
-import express from 'express';
+import express from "express";
 const router = express.Router();
 import {
-    requireAuth, 
-    requireWorkspaceAuth,
-    validateRequest
-} from '../../middleware';
-import { body, param, query } from 'express-validator';
-import { secretsController } from '../../controllers/v3';
+  requireAuth,
+  requireWorkspaceAuth,
+  validateRequest,
+} from "../../middleware";
+import { body, param, query } from "express-validator";
+import { secretsController } from "../../controllers/v3";
 import {
-    AUTH_MODE_JWT,
-    AUTH_MODE_API_KEY,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    ADMIN,
-    MEMBER,
-    PERMISSION_WRITE_SECRETS,
-    SECRET_SHARED,
-    SECRET_PERSONAL,
-    PERMISSION_READ_SECRETS
-} from '../../variables';
+  AUTH_MODE_JWT,
+  AUTH_MODE_API_KEY,
+  AUTH_MODE_SERVICE_TOKEN,
+  AUTH_MODE_SERVICE_ACCOUNT,
+  ADMIN,
+  MEMBER,
+  PERMISSION_WRITE_SECRETS,
+  SECRET_SHARED,
+  SECRET_PERSONAL,
+  PERMISSION_READ_SECRETS,
+} from "../../variables";
 
 router.get(
-    '/',
-    query('workspaceId').exists().isString().trim(),
-    query('environment').exists().isString().trim(),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY, 
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'query',
-        locationEnvironment: 'query',
-        requiredPermissions: [PERMISSION_READ_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.getSecrets
+  "/raw",
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.getSecretsRaw
+);
+
+router.get(
+  "/raw/:secretName",
+  param("secretName").exists().isString().trim(),
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("secretPath").default("/").isString().trim(),
+  query("type").optional().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.getSecretByNameRaw
 );
 
 router.post(
-    '/:secretName',
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('type').exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
-    body('secretKeyCiphertext').exists().isString().trim(),
-    body('secretKeyIV').exists().isString().trim(),
-    body('secretKeyTag').exists().isString().trim(),
-    body('secretValueCiphertext').exists().isString().trim(),
-    body('secretValueIV').exists().isString().trim(),
-    body('secretValueTag').exists().isString().trim(),
-    body('secretCommentCiphertext').optional().isString().trim(),
-    body('secretCommentIV').optional().isString().trim(),
-    body('secretCommentTag').optional().isString().trim(),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY,
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.createSecret
-);
-
-router.get(
-    '/:secretName',
-    param('secretName').exists().isString().trim(),
-    query('workspaceId').exists().isString().trim(),
-    query('environment').exists().isString().trim(),
-    query('type').optional().isIn([SECRET_SHARED, SECRET_PERSONAL]),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY,
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'query',
-        locationEnvironment: 'query',
-        requiredPermissions: [PERMISSION_READ_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.getSecretByName
+  "/raw/:secretName",
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  body("secretValue").exists().isString().trim(),
+  body("secretComment").default("").isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.createSecretRaw
 );
 
 router.patch(
-    '/:secretName',
-    param('secretName').exists().isString().trim(),
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('type').exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
-    body('secretValueCiphertext').exists().isString().trim(),
-    body('secretValueIV').exists().isString().trim(),
-    body('secretValueTag').exists().isString().trim(),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY,
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.updateSecretByName
+  "/raw/:secretName",
+  param("secretName").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  body("secretValue").exists().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.updateSecretByNameRaw
 );
 
 router.delete(
-    '/:secretName',
-    param('secretName').exists().isString().trim(),
-    body('workspaceId').exists().isString().trim(),
-    body('environment').exists().isString().trim(),
-    body('type').exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
-    validateRequest,
-    requireAuth({
-        acceptedAuthModes: [
-            AUTH_MODE_JWT, 
-            AUTH_MODE_API_KEY,
-            AUTH_MODE_SERVICE_TOKEN,
-            AUTH_MODE_SERVICE_ACCOUNT
-        ]
-    }),
-    requireWorkspaceAuth({
-        acceptedRoles: [ADMIN, MEMBER],
-        locationWorkspaceId: 'body',
-        locationEnvironment: 'body',
-        requiredPermissions: [PERMISSION_WRITE_SECRETS],
-        requireBlindIndicesEnabled: true,
-    }),
-    secretsController.deleteSecretByName 
+  "/raw/:secretName",
+  param("secretName").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: true
+  }),
+  secretsController.deleteSecretByNameRaw
 );
 
-export default router;
+router.get(
+  "/",
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: false
+  }),
+  secretsController.getSecrets
+);
+
+router.post(
+  "/:secretName",
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  body("secretKeyCiphertext").exists().isString().trim(),
+  body("secretKeyIV").exists().isString().trim(),
+  body("secretKeyTag").exists().isString().trim(),
+  body("secretValueCiphertext").exists().isString().trim(),
+  body("secretValueIV").exists().isString().trim(),
+  body("secretValueTag").exists().isString().trim(),
+  body("secretCommentCiphertext").optional().isString().trim(),
+  body("secretCommentIV").optional().isString().trim(),
+  body("secretCommentTag").optional().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: false
+  }),
+  secretsController.createSecret
+);
+
+router.get(
+  "/:secretName",
+  param("secretName").exists().isString().trim(),
+  query("workspaceId").exists().isString().trim(),
+  query("environment").exists().isString().trim(),
+  query("secretPath").default("/").isString().trim(),
+  query("type").optional().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "query",
+    locationEnvironment: "query",
+    requiredPermissions: [PERMISSION_READ_SECRETS],
+    requireBlindIndicesEnabled: true,
+  }),
+  secretsController.getSecretByName
+);
+
+router.patch(
+  "/:secretName",
+  param("secretName").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  body("secretValueCiphertext").exists().isString().trim(),
+  body("secretValueIV").exists().isString().trim(),
+  body("secretValueTag").exists().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: false
+  }),
+  secretsController.updateSecretByName
+);
+
+router.delete(
+  "/:secretName",
+  param("secretName").exists().isString().trim(),
+  body("workspaceId").exists().isString().trim(),
+  body("environment").exists().isString().trim(),
+  body("secretPath").default("/").isString().trim(),
+  body("type").exists().isIn([SECRET_SHARED, SECRET_PERSONAL]),
+  validateRequest,
+  requireAuth({
+    acceptedAuthModes: [
+      AUTH_MODE_JWT,
+      AUTH_MODE_API_KEY,
+      AUTH_MODE_SERVICE_TOKEN,
+      AUTH_MODE_SERVICE_ACCOUNT,
+    ],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [ADMIN, MEMBER],
+    locationWorkspaceId: "body",
+    locationEnvironment: "body",
+    requiredPermissions: [PERMISSION_WRITE_SECRETS],
+    requireBlindIndicesEnabled: true,
+    requireE2EEOff: false
+  }),
+  secretsController.deleteSecretByName
+);
+
+export default router;

backend/src/routes/v3/workspaces.ts

@@ -8,10 +8,9 @@ import {
 import { workspacesController } from '../../controllers/v3';
 import {
     AUTH_MODE_JWT,
-    ADMIN,
-    PERMISSION_READ_SECRETS
+    ADMIN
 } from '../../variables';
-import { param, body, validationResult } from 'express-validator';
+import { param, body } from 'express-validator';
 
 // -- migration to blind indices endpoints
 

backend/src/services/BotService.ts

@@ -1,8 +1,10 @@
 import { Types } from 'mongoose';
 import {
-    getSecretsHelper,
+    getSecretsBotHelper,
     encryptSymmetricHelper,
-    decryptSymmetricHelper
+    decryptSymmetricHelper,
+    getKey,
+    getIsWorkspaceE2EEHelper
 } from '../helpers/bot';
 
 /**
@@ -10,6 +12,31 @@ import {
  */
 class BotService {
     
+    /**
+     * Return whether or not workspace with id [workspaceId] is end-to-end encrypted
+     * @param workspaceId - id of workspace
+     * @returns {Boolean}
+     */
+    static async getIsWorkspaceE2EE(workspaceId: Types.ObjectId) {
+        return await getIsWorkspaceE2EEHelper(workspaceId);
+    }
+
+    /**
+     * Get workspace key for workspace with id [workspaceId] shared to bot.
+     * @param {Object} obj
+     * @param {Types.ObjectId} obj.workspaceId - id of workspace to get workspace key for
+     * @returns 
+     */
+    static async getWorkspaceKeyWithBot({
+        workspaceId
+    }: {
+        workspaceId: Types.ObjectId;
+    }) {
+        return await getKey({
+            workspaceId
+        });
+    }
+    
     /**
      * Return decrypted secrets for workspace with id [workspaceId] and 
      * environment [environmen] shared to bot.
@@ -25,7 +52,7 @@ class BotService {
         workspaceId: Types.ObjectId;
         environment: string;
     }) {
-        return await getSecretsHelper({
+        return await getSecretsBotHelper({
             workspaceId,
             environment
         });

backend/src/services/FolderService.ts

@@ -1,5 +1,6 @@
 import { nanoid } from "nanoid";
-import { TFolderSchema } from "../models/folder";
+import { Types } from "mongoose";
+import Folder, { TFolderSchema } from "../models/folder";
 
 type TAppendFolderDTO = {
   folderName: string;
@@ -174,6 +175,11 @@ export const searchByFolderIdWithDir = (
 // to get folder of a path given
 // Like /frontend/folder#1
 export const getFolderByPath = (folders: TFolderSchema, searchPath: string) => {
+  // corner case when its just / return root
+  if (searchPath === "/") {
+    return folders.id === "root" ? folders : undefined;
+  }
+
   const path = searchPath.split("/").filter(Boolean);
   const queue = [folders];
   let segment: TFolderSchema | undefined;
@@ -187,3 +193,25 @@ export const getFolderByPath = (folders: TFolderSchema, searchPath: string) => {
   }
   return segment;
 };
+
+export const getFolderIdFromServiceToken = async (
+  workspaceId: Types.ObjectId | string,
+  environment: string,
+  secretPath: string
+) => {
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment,
+  });
+
+  if (!folders) {
+    if (secretPath !== "/") throw new Error("Invalid path. Folders not found");
+  } else {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) {
+      throw new Error("Folder not found");
+    }
+    return folder.id;
+  }
+  return "root";
+};

backend/src/services/SecretService.ts

@@ -1,7 +1,4 @@
-import { Types } from 'mongoose';
-import {
-    ISecret
-} from '../models';
+import { Types } from "mongoose";
 import {
     CreateSecretParams,
     GetSecretsParams,
@@ -22,150 +19,150 @@ import {
 } from '../helpers/secrets';
 
 class SecretService {
+  /**
+   * Create secret blind index data containing encrypted blind index salt
+   * for workspace with id [workspaceId]
+   * @param {Object} obj
+   * @param {Buffer} obj.salt - 16-byte random salt
+   * @param {Types.ObjectId} obj.workspaceId
+   */
+  static async createSecretBlindIndexData({
+    workspaceId,
+  }: {
+    workspaceId: Types.ObjectId;
+  }) {
+    return await createSecretBlindIndexDataHelper({
+      workspaceId,
+    });
+  }
 
-    /**
-     * Create secret blind index data containing encrypted blind index salt 
-     * for workspace with id [workspaceId]
-     * @param {Object} obj
-     * @param {Buffer} obj.salt - 16-byte random salt
-     * @param {Types.ObjectId} obj.workspaceId
-     */
-    static async createSecretBlindIndexData({
-        workspaceId,
-    }: {
-        workspaceId: Types.ObjectId;
-    }) {
-        return await createSecretBlindIndexDataHelper({
-            workspaceId
-        });
-    }
+  /**
+   * Get secret blind index salt for workspace with id [workspaceId]
+   * @param {Object} obj
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace to get salt for
+   * @returns
+   */
+  static async getSecretBlindIndexSalt({
+    workspaceId,
+  }: {
+    workspaceId: Types.ObjectId;
+  }) {
+    return await getSecretBlindIndexSaltHelper({
+      workspaceId,
+    });
+  }
 
-    /**
-     * Get secret blind index salt for workspace with id [workspaceId]
-     * @param {Object} obj
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace to get salt for
-     * @returns 
-     */
-    static async getSecretBlindIndexSalt({
-        workspaceId
-    }: {
-        workspaceId: Types.ObjectId;
-    }) {
-        return await getSecretBlindIndexSaltHelper({
-            workspaceId
-        });
-    }
+  /**
+   * Generate blind index for secret with name [secretName]
+   * and salt [salt]
+   * @param {Object} obj
+   * @param {Object} obj.secretName - name of secret to generate blind index for
+   * @param {String} obj.salt - base64-salt
+   */
+  static async generateSecretBlindIndexWithSalt({
+    secretName,
+    salt,
+  }: {
+    secretName: string;
+    salt: string;
+  }) {
+    return await generateSecretBlindIndexWithSaltHelper({
+      secretName,
+      salt,
+    });
+  }
 
-    /**
-     * Generate blind index for secret with name [secretName]
-     * and salt [salt]
-     * @param {Object} obj
-     * @param {Object} obj.secretName - name of secret to generate blind index for
-     * @param {String} obj.salt - base64-salt
-     */
-     static async generateSecretBlindIndexWithSalt({
-        secretName,
-        salt
-    }: {
-        secretName: string;
-        salt: string;
-    }) {
-        return await generateSecretBlindIndexWithSaltHelper({
-            secretName,
-            salt
-        });
-    }
+  /**
+   * Create and return blind index for secret with
+   * name [secretName] part of workspace with id [workspaceId]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to generate blind index for
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+   */
+  static async generateSecretBlindIndex({
+    secretName,
+    workspaceId,
+  }: {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+  }) {
+    return await generateSecretBlindIndexHelper({
+      secretName,
+      workspaceId,
+    });
+  }
 
-    /**
-     * Create and return blind index for secret with
-     * name [secretName] part of workspace with id [workspaceId]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to generate blind index for
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
-     */
-    static async generateSecretBlindIndex({
-        secretName,
-        workspaceId,
-    }: {
-        secretName: string;
-        workspaceId: Types.ObjectId;
-    }) {
-        return await generateSecretBlindIndexHelper({
-            secretName,
-            workspaceId
-        });
-    }
-    
-    /**
-     * Create secret with name [secretName]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to create
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace to create secret for
-     * @param {String} obj.environment - environment in workspace to create secret for
-     * @param {'shared' | 'personal'} obj.type - type of secret
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async createSecret(createSecretParams: CreateSecretParams) {
-        return await createSecretHelper(createSecretParams);
-    }
+  /**
+   * Create secret with name [secretName]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to create
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace to create secret for
+   * @param {String} obj.environment - environment in workspace to create secret for
+   * @param {'shared' | 'personal'} obj.type - type of secret
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async createSecret(createSecretParams: CreateSecretParams) {
+    return await createSecretHelper(createSecretParams);
+  }
 
-    /**
-     * Get secrets for workspace with id [workspaceId] and environment [environment]
-     * @param {Object} obj
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace
-     * @param {String} obj.environment - environment in workspace
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async getSecrets(getSecretsParams: GetSecretsParams) {
-        return await getSecretsHelper(getSecretsParams);
-    }
-    
-    /**
-     * Get secret with name [secretName]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to get
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
-     * @param {String} obj.environment - environment in workspace that secret belongs to
-     * @param {'shared' | 'personal'} obj.type - type of secret
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async getSecret(getSecretParams: GetSecretParams) {
-        return await getSecretHelper(getSecretParams);
-    }
-    
-    /**
-     * Update secret with name [secretName]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to update
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
-     * @param {String} obj.environment - environment in workspace that secret belongs to
-     * @param {'shared' | 'personal'} obj.type - type of secret
-     * @param {String} obj.secretValueCiphertext - ciphertext of secret value
-     * @param {String} obj.secretValueIV - IV of secret value
-     * @param {String} obj.secretValueTag - tag of secret value
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async updateSecret(updateSecretParams: UpdateSecretParams) {
-        return await updateSecretHelper(updateSecretParams);
-    }
+  /**
+   * Get secrets for workspace with id [workspaceId] and environment [environment]
+   * @param {Object} obj
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace
+   * @param {String} obj.environment - environment in workspace
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async getSecrets(getSecretsParams: GetSecretsParams) {
+    return await getSecretsHelper(getSecretsParams);
+  }
 
-    /**
-     * Delete secret with name [secretName]
-     * @param {Object} obj
-     * @param {String} obj.secretName - name of secret to delete
-     * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
-     * @param {String} obj.environment - environment in workspace that secret belongs to
-     * @param {'shared' | 'personal'} obj.type - type of secret
-     * @param {AuthData} obj.authData - authentication data on request
-     * @returns 
-     */
-    static async deleteSecret(deleteSecretParams: DeleteSecretParams) {
-        return await deleteSecretHelper(deleteSecretParams);
-    }
+  /**
+   * Get secret with name [secretName]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to get
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+   * @param {String} obj.environment - environment in workspace that secret belongs to
+   * @param {'shared' | 'personal'} obj.type - type of secret
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async getSecret(getSecretParams: GetSecretParams) {
+    // TODO(akhilmhdh) The one above is diff. Change this to some other name
+    return await getSecretHelper(getSecretParams);
+  }
+
+  /**
+   * Update secret with name [secretName]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to update
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+   * @param {String} obj.environment - environment in workspace that secret belongs to
+   * @param {'shared' | 'personal'} obj.type - type of secret
+   * @param {String} obj.secretValueCiphertext - ciphertext of secret value
+   * @param {String} obj.secretValueIV - IV of secret value
+   * @param {String} obj.secretValueTag - tag of secret value
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async updateSecret(updateSecretParams: UpdateSecretParams) {
+    return await updateSecretHelper(updateSecretParams);
+  }
+
+  /**
+   * Delete secret with name [secretName]
+   * @param {Object} obj
+   * @param {String} obj.secretName - name of secret to delete
+   * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+   * @param {String} obj.environment - environment in workspace that secret belongs to
+   * @param {'shared' | 'personal'} obj.type - type of secret
+   * @param {AuthData} obj.authData - authentication data on request
+   * @returns
+   */
+  static async deleteSecret(deleteSecretParams: DeleteSecretParams) {
+    return await deleteSecretHelper(deleteSecretParams);
+  }
 }
 
-export default SecretService;
+export default SecretService;

backend/src/types/express/index.d.ts

@@ -1,4 +1,5 @@
 import * as express from 'express';
+import { Types } from 'mongoose';
 import { 
 	IUser,
 	IServiceAccount,
@@ -39,7 +40,9 @@ declare global {
 			serviceTokenData: any;
 			apiKeyData: any;
 			query?: any;
+			tokenVersionId?: Types.ObjectId;
 			authData: AuthData;
+			realIP: string;
 			requestData: {
 				[key: string]: string
 			};

backend/src/types/secret/index.d.ts

@@ -43,4 +43,5 @@ export interface BatchSecret {
   secretCommentIV: string;
   secretCommentTag: string;
   tags: string[];
+  folder: string
 }

backend/src/utils/patchAsyncRoutes.js

@@ -1,69 +0,0 @@
-/*
-Original work Copyright (c) 2016, Nikolay Nemshilov <nemshilov@gmail.com>
-Modified work Copyright (c) 2016, David Banham <david@banham.id.au>
-
-Permission to use, copy, modify, and/or distribute this software for any purpose
-with or without fee is hereby granted, provided that the above copyright notice
-and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
-OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
-TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
-THIS SOFTWARE.
-
-*/
-
-/* eslint-disable @typescript-eslint/no-var-requires */
-/* eslint-env node */
-const Layer = require('express/lib/router/layer');
-const Router = require('express/lib/router');
-
-const last = (arr = []) => arr[arr.length - 1];
-const noop = Function.prototype;
-
-function copyFnProps(oldFn, newFn) {
-  Object.keys(oldFn).forEach((key) => {
-    newFn[key] = oldFn[key];
-  });
-  return newFn;
-}
-
-function wrap(fn) {
-  const newFn = function newFn(...args) {
-    const ret = fn.apply(this, args);
-    const next = (args.length === 5 ? args[2] : last(args)) || noop;
-    if (ret && ret.catch) ret.catch(err => next(err));
-    return ret;
-  };
-  Object.defineProperty(newFn, 'length', {
-    value: fn.length,
-    writable: false,
-  });
-  return copyFnProps(fn, newFn);
-}
-
-function patchRouterParam() {
-  const originalParam = Router.prototype.constructor.param;
-  Router.prototype.constructor.param = function param(name, fn) {
-    fn = wrap(fn);
-    return originalParam.call(this, name, fn);
-  };
-}
-
-Object.defineProperty(Layer.prototype, 'handle', {
-  enumerable: true,
-  get() {
-    return this.__handle;
-  },
-  set(fn) {
-    fn = wrap(fn);
-    this.__handle = fn;
-  },
-});
-
-module.exports = {
-  patchRouterParam
-};

backend/src/utils/setup/backfillData.ts

@@ -1,3 +1,4 @@
+/* eslint-disable no-console */
 import crypto from "crypto";
 import { Types } from "mongoose";
 import { encryptSymmetric128BitHexKeyUTF8 } from "../crypto";
@@ -11,6 +12,7 @@ import {
   Bot,
   BackupPrivateKey,
   IntegrationAuth,
+  ServiceTokenData,
 } from "../../models";
 import { generateKeyPair } from "../../utils/crypto";
 import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
@@ -64,7 +66,7 @@ export const backfillSecretVersions = async () => {
       ),
     });
   }
-  console.log("Migration: Secret version migration v1 complete")
+  console.log("Migration: Secret version migration v1 complete");
 };
 
 /**
@@ -380,13 +382,15 @@ export const backfillSecretFolders = async () => {
       });
 
       const newSnapshots = Object.keys(groupSnapByEnv).map((snapEnv) => {
-        const secretIdsOfEnvGroup = groupSnapByEnv[snapEnv] ? groupSnapByEnv[snapEnv].map(secretVersion => secretVersion._id) : []
+        const secretIdsOfEnvGroup = groupSnapByEnv[snapEnv]
+          ? groupSnapByEnv[snapEnv].map((secretVersion) => secretVersion._id)
+          : [];
         return {
           ...secSnapshot.toObject({ virtuals: false }),
           _id: new Types.ObjectId(),
           environment: snapEnv,
           secretVersions: secretIdsOfEnvGroup,
-        }
+        };
       });
 
       await SecretSnapshot.insertMany(newSnapshots);
@@ -402,5 +406,21 @@ export const backfillSecretFolders = async () => {
       .limit(50);
   }
 
-  console.log("Migration: Folder migration v1 complete")
+  console.log("Migration: Folder migration v1 complete");
+};
+
+export const backfillServiceToken = async () => {
+  await ServiceTokenData.updateMany(
+    {
+      secretPath: {
+        $exists: false,
+      },
+    },
+    {
+      $set: {
+        secretPath: "/",
+      },
+    }
+  );
+  console.log("Migration: Service token migration v1 complete");
 };

backend/src/utils/setup/index.ts

@@ -1,31 +1,31 @@
-import * as Sentry from '@sentry/node';
-import { DatabaseService, TelemetryService } from '../../services';
-import { setTransporter } from '../../helpers/nodemailer';
-import { EELicenseService } from '../../ee/services';
-import { initSmtp } from '../../services/smtp';
-import { createTestUserForDevelopment } from '../addDevelopmentUser';
+import * as Sentry from "@sentry/node";
+import { DatabaseService, TelemetryService } from "../../services";
+import { setTransporter } from "../../helpers/nodemailer";
+import { EELicenseService } from "../../ee/services";
+import { initSmtp } from "../../services/smtp";
+import { createTestUserForDevelopment } from "../addDevelopmentUser";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('../patchAsyncRoutes');
-import { validateEncryptionKeysConfig } from './validateConfig';
+import { validateEncryptionKeysConfig } from "./validateConfig";
 import {
   backfillSecretVersions,
   backfillBots,
   backfillSecretBlindIndexData,
   backfillEncryptionMetadata,
   backfillSecretFolders,
-} from './backfillData';
+  backfillServiceToken,
+} from "./backfillData";
 import {
   reencryptBotPrivateKeys,
   reencryptSecretBlindIndexDataSalts,
-} from './reencryptData';
+} from "./reencryptData";
 import {
   getNodeEnv,
   getMongoURL,
   getSentryDSN,
   getClientSecretGoogle,
   getClientIdGoogle,
-} from '../../config';
-import { initializePassport } from '../auth';
+} from "../../config";
+import { initializePassport } from "../auth";
 
 /**
  * Prepare Infisical upon startup. This includes tasks like:
@@ -38,7 +38,6 @@ import { initializePassport } from '../auth';
  * - Re-encrypting data
  */
 export const setup = async () => {
-  patchRouterParam();
   await validateEncryptionKeysConfig();
   await TelemetryService.logTelemetryMessage();
 
@@ -77,6 +76,7 @@ export const setup = async () => {
   await backfillSecretBlindIndexData();
   await backfillEncryptionMetadata();
   await backfillSecretFolders();
+  await backfillServiceToken();
 
   // re-encrypt any data previously encrypted under server hex 128-bit ENCRYPTION_KEY
   // to base64 256-bit ROOT_ENCRYPTION_KEY
@@ -87,7 +87,7 @@ export const setup = async () => {
   Sentry.init({
     dsn: await getSentryDSN(),
     tracesSampleRate: 1.0,
-    debug: (await getNodeEnv()) === 'production' ? false : true,
+    debug: (await getNodeEnv()) === "production" ? false : true,
     environment: await getNodeEnv(),
   });
 

backend/src/utils/setup/validateConfig.ts

@@ -21,39 +21,39 @@ import {
 export const validateEncryptionKeysConfig = async () => {
     const encryptionKey = await getEncryptionKey();
     const rootEncryptionKey = await getRootEncryptionKey();
-    
+
     if (
         (encryptionKey === undefined || encryptionKey === "") &&
         (rootEncryptionKey === undefined || rootEncryptionKey === "")
     ) throw InternalServerError({
         message: "Failed to find required root encryption key environment variable. Please make sure that you're passing in a ROOT_ENCRYPTION_KEY environment variable."
     });
-    
-    if (encryptionKey && encryptionKey !== '') {
-        // validate [encryptionKey]
-        
-        const keyBuffer = Buffer.from(encryptionKey, 'hex');
-        const decoded = keyBuffer.toString('hex');
 
-        if (decoded !== encryptionKey) throw InternalServerError({
-            message: 'Failed to validate that the encryption key is correctly encoded in hex.'
-        });
-        
-        if (keyBuffer.length !== 16) throw InternalServerError({
-            message: 'Failed to validate that the encryption key is a 128-bit hex string.'
-        });
-    }
+    // if (encryptionKey && encryptionKey !== '') {
+    //     // validate [encryptionKey]
+
+    //     const keyBuffer = Buffer.from(encryptionKey, 'hex');
+    //     const decoded = keyBuffer.toString('hex');
+
+    //     if (decoded !== encryptionKey) throw InternalServerError({
+    //         message: 'Failed to validate that the encryption key is correctly encoded in hex.'
+    //     });
+
+    //     if (keyBuffer.length !== 16) throw InternalServerError({
+    //         message: 'Failed to validate that the encryption key is a 128-bit hex string.'
+    //     });
+    // }
 
     if (rootEncryptionKey && rootEncryptionKey !== '') {
         // validate [rootEncryptionKey]
-        
+
         const keyBuffer = Buffer.from(rootEncryptionKey, 'base64')
         const decoded = keyBuffer.toString('base64');
 
         if (decoded !== rootEncryptionKey) throw InternalServerError({
             message: 'Failed to validate that the root encryption key is correctly encoded in base64'
         });
-        
+
         if (keyBuffer.length !== 32) throw InternalServerError({
             message: 'Failed to validate that the encryption key is a 256-bit base64 string'
         });

backend/src/validation/index.ts

@@ -1,3 +1,4 @@
+export * from './user';
 export * from './workspace';
 export * from './bot';
 export * from './integration';

backend/src/validation/user.ts

@@ -1,3 +1,5 @@
+import fs from 'fs';
+import path from 'path';
 import { Types } from 'mongoose';
 import {
 	IUser, 
@@ -8,7 +10,7 @@ import {
 } from '../models';
 import { validateMembership } from '../helpers/membership';
 import _ from 'lodash';
-import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import { BadRequestError, UnauthorizedRequestError, ValidationError } from '../utils/errors';
 import {
 	validateMembershipOrg
 } from '../helpers/membershipOrg';
@@ -17,6 +19,22 @@ import {
 	PERMISSION_WRITE_SECRETS
 } from '../variables';
 
+/**
+ * Validate that email [email] is not disposable
+ * @param email - email to validate
+ */
+export const validateUserEmail = (email: string) => {
+	const emailDomain = email.split('@')[1];
+	const disposableEmails = fs.readFileSync(
+		path.resolve(__dirname, '../data/' + 'disposable_emails.txt'),
+		'utf8'
+	).split('\n');	
+	
+	if (disposableEmails.includes(emailDomain)) throw ValidationError({
+		message: 'Failed to validate email as non-disposable'
+	});
+}
+
 /**
  * Validate that user (client) can access workspace
  * with id [workspaceId] and its environment [environment] with required permissions

backend/src/validation/workspace.ts

@@ -13,6 +13,7 @@ import { validateServiceAccountClientForWorkspace } from './serviceAccount';
 import { validateUserClientForWorkspace } from './user';
 import { validateServiceTokenDataClientForWorkspace } from './serviceTokenData';
 import { 
+	BadRequestError,
     UnauthorizedRequestError,
     WorkspaceNotFoundError 
 } from '../utils/errors';
@@ -22,6 +23,7 @@ import {
     AUTH_MODE_SERVICE_TOKEN,
     AUTH_MODE_API_KEY
 } from '../variables';
+import { BotService } from '../services';
 
 /**
  * Validate authenticated clients for workspace with id [workspaceId] based
@@ -39,7 +41,8 @@ export const validateClientForWorkspace = async ({
 	environment,
 	acceptedRoles,
 	requiredPermissions,
-	requireBlindIndicesEnabled
+	requireBlindIndicesEnabled,
+	requireE2EEOff
 }: {
 	authData: {
 		authMode: string;
@@ -50,8 +53,8 @@ export const validateClientForWorkspace = async ({
 	acceptedRoles: Array<'admin' | 'member'>;
 	requiredPermissions?: string[];
 	requireBlindIndicesEnabled: boolean;
+	requireE2EEOff: boolean;
 }) => {
-	
 	const workspace = await Workspace.findById(workspaceId);
 
 	if (!workspace) throw WorkspaceNotFoundError({
@@ -71,6 +74,14 @@ export const validateClientForWorkspace = async ({
 			message: 'Failed workspace authorization due to blind indices not being enabled'
 		});
 	}
+	
+	if (requireE2EEOff) {
+		const isWorkspaceE2EE = await BotService.getIsWorkspaceE2EE(workspaceId);
+		
+		if (isWorkspaceE2EE) throw BadRequestError({
+			message: 'Failed workspace authorization due to end-to-end encryption not being disabled'
+		});
+	}
 
 	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
 		const membership = await validateUserClientForWorkspace({

backend/src/variables/integration.ts

@@ -22,6 +22,8 @@ export const INTEGRATION_FLYIO = "flyio";
 export const INTEGRATION_CIRCLECI = "circleci";
 export const INTEGRATION_TRAVISCI = "travisci";
 export const INTEGRATION_SUPABASE = 'supabase';
+export const INTEGRATION_CHECKLY = 'checkly';
+export const INTEGRATION_HASHICORP_VAULT = 'hashicorp-vault';
 export const INTEGRATION_SET = new Set([
     INTEGRATION_AZURE_KEY_VAULT,
   INTEGRATION_HEROKU,
@@ -33,7 +35,9 @@ export const INTEGRATION_SET = new Set([
   INTEGRATION_FLYIO,
   INTEGRATION_CIRCLECI,
   INTEGRATION_TRAVISCI,
-  INTEGRATION_SUPABASE
+  INTEGRATION_SUPABASE,
+  INTEGRATION_CHECKLY,
+  INTEGRATION_HASHICORP_VAULT
 ]);
 
 // integration types
@@ -60,6 +64,7 @@ export const INTEGRATION_FLYIO_API_URL = "https://api.fly.io/graphql";
 export const INTEGRATION_CIRCLECI_API_URL = "https://circleci.com/api";
 export const INTEGRATION_TRAVISCI_API_URL = "https://api.travis-ci.com";
 export const INTEGRATION_SUPABASE_API_URL = 'https://api.supabase.com';
+export const INTEGRATION_CHECKLY_API_URL = 'https://api.checklyhq.com';
 
 export const getIntegrationOptions = async () => {
     const INTEGRATION_OPTIONS = [
@@ -190,6 +195,24 @@ export const getIntegrationOptions = async () => {
             clientId: '',
             docsLink: ''
         },
+        {
+            name: 'Checkly',
+            slug: 'checkly',
+            image: 'Checkly.png',
+            isAvailable: true,
+            type: 'pat',
+            clientId: '',
+            docsLink: ''
+        },
+        {
+            name: 'HashiCorp Vault',
+            slug: 'hashicorp-vault',
+            image: 'Vault.png',
+            isAvailable: true,
+            type: 'pat',
+            clientId: '',
+            docsLink: ''
+        },
         {
             name: 'Google Cloud Platform',
             slug: 'gcp',

cli/packages/api/api.go

@@ -2,6 +2,7 @@ package api
 
 import (
 	"fmt"
+	"net/http"
 
 	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/go-resty/resty/v2"
@@ -159,6 +160,22 @@ func CallVerifyMfaToken(httpClient *resty.Client, request VerifyMfaTokenRequest)
 		SetBody(request).
 		Post(fmt.Sprintf("%v/v2/auth/mfa/verify", config.INFISICAL_URL))
 
+	cookies := response.Cookies()
+	// Find a cookie by name
+	cookieName := "jid"
+	var refreshToken *http.Cookie
+	for _, cookie := range cookies {
+		if cookie.Name == cookieName {
+			refreshToken = cookie
+			break
+		}
+	}
+
+	// When MFA is enabled
+	if refreshToken != nil {
+		verifyMfaTokenResponse.RefreshToken = refreshToken.Value
+	}
+
 	if err != nil {
 		return nil, nil, fmt.Errorf("CallVerifyMfaToken: Unable to complete api request [err=%s]", err)
 	}
@@ -179,6 +196,22 @@ func CallLogin2V2(httpClient *resty.Client, request GetLoginTwoV2Request) (GetLo
 		SetBody(request).
 		Post(fmt.Sprintf("%v/v2/auth/login2", config.INFISICAL_URL))
 
+	cookies := response.Cookies()
+	// Find a cookie by name
+	cookieName := "jid"
+	var refreshToken *http.Cookie
+	for _, cookie := range cookies {
+		if cookie.Name == cookieName {
+			refreshToken = cookie
+			break
+		}
+	}
+
+	// When MFA is enabled
+	if refreshToken != nil {
+		loginTwoV2Response.RefreshToken = refreshToken.Value
+	}
+
 	if err != nil {
 		return GetLoginTwoV2Response{}, fmt.Errorf("CallLogin2V2: Unable to complete api request [err=%s]", err)
 	}
@@ -247,3 +280,26 @@ func CallGetAccessibleEnvironments(httpClient *resty.Client, request GetAccessib
 
 	return accessibleEnvironmentsResponse, nil
 }
+
+func CallGetNewAccessTokenWithRefreshToken(httpClient *resty.Client, refreshToken string) (GetNewAccessTokenWithRefreshTokenResponse, error) {
+	var newAccessToken GetNewAccessTokenWithRefreshTokenResponse
+	response, err := httpClient.
+		R().
+		SetResult(&newAccessToken).
+		SetHeader("User-Agent", USER_AGENT).
+		SetCookie(&http.Cookie{
+			Name:  "jid",
+			Value: refreshToken,
+		}).
+		Post(fmt.Sprintf("%v/v1/auth/token", config.INFISICAL_URL))
+
+	if err != nil {
+		return GetNewAccessTokenWithRefreshTokenResponse{}, err
+	}
+
+	if response.IsError() {
+		return GetNewAccessTokenWithRefreshTokenResponse{}, fmt.Errorf("CallGetNewAccessTokenWithRefreshToken: Unsuccessful response:  [response=%v]", response)
+	}
+
+	return newAccessToken, nil
+}