Update cli to 0.1.16 to trigger arch linux release

ci: add aur release

.env.example

@@ -1,21 +1,19 @@
 # Keys
-# Required keys for platform encryption/decryption ops
-PRIVATE_KEY=replace_with_nacl_sk
-PUBLIC_KEY=replace_with_nacl_pk
-ENCRYPTION_KEY=replace_with_lengthy_secure_hex
+# Required key for platform encryption/decryption ops
+ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
 # JWT
 # Required secrets to sign JWT tokens
-JWT_SIGNUP_SECRET=replace_with_lengthy_secure_hex
-JWT_REFRESH_SECRET=replace_with_lengthy_secure_hex
-JWT_AUTH_SECRET=replace_with_lengthy_secure_hex
+JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
+JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
+JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
+JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
 
 # JWT lifetime
 # Optional lifetimes for JWT tokens expressed in seconds or a string 
 # describing a time span (e.g. 60, "2 days", "10h", "7d")
 JWT_AUTH_LIFETIME=
 JWT_REFRESH_LIFETIME=
-JWT_SERVICE_SECRET=
 JWT_SIGNUP_LIFETIME=
 
 # Optional lifetimes for OTP expressed in seconds
@@ -33,21 +31,28 @@ MONGO_PASSWORD=example
 
 # Website URL
 # Required
-
 SITE_URL=http://localhost:8080
 
 # Mail/SMTP
-# Required to send emails
-# By default, SMTP_HOST is set to smtp.gmail.com
-SMTP_HOST=smtp.gmail.com
-SMTP_NAME=Team
-SMTP_USERNAME=team@infisical.com
-SMTP_PASSWORD=
+SMTP_HOST= # required
+SMTP_USERNAME= # required
+SMTP_PASSWORD= # required
+SMTP_PORT=587
+SMTP_SECURE=false
+SMTP_FROM_ADDRESS= # required
+SMTP_FROM_NAME=Infisical
 
 # Integration
 # Optional only if integration is used
-OAUTH_CLIENT_SECRET_HEROKU=
-OAUTH_TOKEN_URL_HEROKU=
+CLIENT_ID_HEROKU=
+CLIENT_ID_VERCEL=
+CLIENT_ID_NETLIFY=
+CLIENT_ID_GITHUB=
+CLIENT_SECRET_HEROKU=
+CLIENT_SECRET_VERCEL=
+CLIENT_SECRET_NETLIFY=
+CLIENT_SECRET_GITHUB=
+CLIENT_SLUG_VERCEL=
 
 # Sentry (optional) for monitoring errors
 SENTRY_DSN=

.eslintignore

@@ -0,0 +1,3 @@
+node_modules
+built
+healthcheck.js

.github/resources/docker-compose.be-test.yml

@@ -0,0 +1,30 @@
+version: '3'
+
+services:
+  backend:
+    container_name: infisical-backend-test
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    image: infisical/backend:test
+    command: npm run start
+    environment:
+      - NODE_ENV=production
+      - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
+      - MONGO_USERNAME=test
+      - MONGO_PASSWORD=example
+    networks:
+      - infisical-test
+
+  mongo:
+    container_name: infisical-mongo-test
+    image: mongo
+    restart: always
+    environment:
+      - MONGO_INITDB_ROOT_USERNAME=test
+      - MONGO_INITDB_ROOT_PASSWORD=example
+    networks:
+      - infisical-test
+
+networks:
+  infisical-test:

.github/resources/healthcheck.sh

@@ -0,0 +1,26 @@
+# Name of the target container to check
+container_name="$1"
+# Timeout in seconds. Default: 60
+timeout=$((${2:-60}));
+
+if [ -z $container_name ]; then
+  echo "No container name specified";
+  exit 1;
+fi
+
+echo "Container: $container_name";
+echo "Timeout: $timeout sec";
+
+try=0;
+is_healthy="false";
+while [ $is_healthy != "true" ];
+do
+  try=$(($try + 1));
+  printf "■";
+  is_healthy=$(docker inspect --format='{{json .State.Health}}' $container_name | jq '.Status == "healthy"');
+  sleep 1;
+  if [[ $try -eq $timeout ]]; then
+    echo " Container was not ready within timeout";
+    exit 1;
+  fi
+done

.github/workflows/be-test-report.yml

@@ -0,0 +1,41 @@
+name: "Backend Test Report"
+
+on:
+  workflow_run:
+    workflows: ["Check Backend Pull Request"]
+    types:
+      - completed
+
+jobs:
+  be-report:
+    name: Backend test report
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: 📁 Download test results
+        id: download-artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          name: be-test-results
+          path: backend
+          workflow: check-be-pull-request.yml
+          workflow_conclusion: success
+      - name: 📋 Publish test results
+        uses: dorny/test-reporter@v1
+        with:
+          name: Test Results
+          path: reports/jest-*.xml
+          reporter: jest-junit
+          working-directory: backend
+      - name: 📋 Publish coverage
+        uses: ArtiomTr/jest-coverage-report-action@v2
+        id: coverage
+        with:
+          output: comment, report-markdown
+          coverage-file: coverage/report.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          working-directory: backend
+      - uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          message: ${{ steps.coverage.outputs.report }}

.github/workflows/check-be-pull-request.yml

@@ -0,0 +1,42 @@
+name: "Check Backend Pull Request"
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - "backend/**"
+      - "!backend/README.md"
+      - "!backend/.*"
+      - "backend/.eslintrc.js"
+
+jobs:
+  check-be-pr:
+    name: Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 🔧 Setup Node 16
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+          cache: "npm"
+          cache-dependency-path: backend/package-lock.json
+      - name: 📦 Install dependencies
+        run: npm ci --only-production --ignore-scripts
+        working-directory: backend
+      - name: 🧪 Run tests
+        run: npm run test:ci
+        working-directory: backend
+      - name: 📁 Upload test results
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: be-test-results
+          path: |
+            ./backend/reports
+            ./backend/coverage
+      - name: 🏗️ Run build
+        run: npm run build
+        working-directory: backend

.github/workflows/check-fe-pull-request.yml

@@ -0,0 +1,41 @@
+name: Check Frontend Pull Request
+
+on:
+  pull_request:
+    types: [ opened, synchronize ]
+    paths:
+      - 'frontend/**'
+      - '!frontend/README.md'
+      - '!frontend/.*'
+      - 'frontend/.eslintrc.js'
+
+
+jobs:
+
+  check-fe-pr:
+    name: Check
+    runs-on: ubuntu-latest
+
+    steps:
+      -
+        name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      -
+        name: 🔧 Setup Node 16
+        uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
+      -
+        name: 📦 Install dependencies
+        run: npm ci --only-production --ignore-scripts
+        working-directory: frontend
+      # -
+      #   name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: frontend
+      -
+        name: 🏗️ Run build
+        run: npm run build
+        working-directory: frontend

.github/workflows/close_inactive_issues.yml

@@ -1,22 +0,0 @@
-name: Close inactive issues
-on:
-  schedule:
-    - cron: "30 1 * * *"
-
-jobs:
-  close-issues:
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
-    steps:
-      - uses: actions/stale@v4
-        with:
-          days-before-issue-stale: 30
-          days-before-issue-close: 14
-          stale-issue-label: "stale"
-          stale-issue-message: "This issue is stale because it has been open for 30 days with no activity."
-          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
-          days-before-pr-stale: -1
-          days-before-pr-close: -1
-          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docker-image.yml

@@ -3,35 +3,84 @@ name: Push to Docker Hub
 on: [workflow_dispatch]
 
 jobs:
-  docker:
+  backend-image:
+    name: Build backend image
     runs-on: ubuntu-latest
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Set up QEMU
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 🔧 Set up QEMU
         uses: docker/setup-qemu-action@v2
-      -
-        name: Set up Docker Buildx
+      - name: 🔧 Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      -
-        name: Login to Docker Hub
+      - name: 🐋 Login to Docker Hub
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push backend
+      - name: 📦 Build backend and export to Docker
+        uses: docker/build-push-action@v3
+        with:
+          load: true
+          context: backend
+          tags: infisical/backend:test
+      - name: ⏻ Spawn backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml up --wait --quiet-pull
+      - name: 🧪 Test backend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-backend-test
+      - name: ⏻ Shut down backend container and dependencies
+        run: |
+          docker compose -f .github/resources/docker-compose.be-test.yml down
+      - name: 🏗️ Build backend and push
         uses: docker/build-push-action@v3
         with:
           push: true
           context: backend
-          tags: infisical/backend:test
-      -
-        name: Build and push frontend
+          tags: infisical/backend:latest
+          platforms: linux/amd64,linux/arm64
+
+  frontend-image:
+    name: Build frontend image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+      - name: 🔧 Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 📦 Build frontend and export to Docker
+        uses: docker/build-push-action@v3
+        with:
+          load: true
+          context: frontend
+          tags: infisical/frontend:test
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+      - name: ⏻ Spawn frontend container
+        run: |
+          docker run -d --rm --name infisical-frontend-test infisical/frontend:test
+      - name: 🧪 Test frontend image
+        run: |
+          ./.github/resources/healthcheck.sh infisical-frontend-test
+      - name: ⏻ Shut down frontend container
+        run: |
+          docker stop infisical-frontend-test
+      - name: 🏗️ Build frontend and push
         uses: docker/build-push-action@v3
         with:
           push: true
-          file: frontend/Dockerfile.dev
           context: frontend
-          tags: infisical/frontend:test
+          tags: infisical/frontend:latest
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}

.github/workflows/helm-chart-release.yaml

@@ -1,33 +0,0 @@
-name: Release Charts
-
-on: [workflow_dispatch]
-
-jobs:
-  release:
-    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
-    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Configure Git
-        run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-
-      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.4.1
-        with:
-          charts_dir: helm-charts
-        env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/helm_chart_release.yml

@@ -0,0 +1,22 @@
+name: Release Helm Charts
+
+on: [workflow_dispatch]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install python
+        uses: actions/setup-python@v4
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+      - name: Build and push helm package to Cloudsmith
+        run: cd helm-charts && sh upload-to-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_build.yml

@@ -1,4 +1,4 @@
-name: goreleaser
+name: Go releaser
 
 on:
   push:
@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v3
         with:
@@ -24,6 +24,15 @@ jobs:
           go-version: '>=1.19.3'
           cache: true
           cache-dependency-path: cli/go.sum
+      - name: libssl1.1 => libssl1.0-dev for OSXCross
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt update && apt-cache policy libssl1.0-dev
+          sudo apt-get install libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
       - uses: goreleaser/goreleaser-action@v2
         with:
           distribution: goreleaser
@@ -32,6 +41,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
       - uses: actions/setup-python@v4
       - run: pip install --upgrade cloudsmith-cli
       - name: Publish to CloudSmith 

.github/workflows/release_docker_k8_operator.yaml

@@ -0,0 +1,29 @@
+name: Release Docker image for K8 operator 
+on: [workflow_dispatch]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: 🔧 Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: k8-operator
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: infisical/kubernetes-operator:latest

.gitignore

@@ -25,7 +25,9 @@ node_modules
 .env
 
 # testing
-/coverage
+coverage
+reports
+junit.xml
 
 # next.js
 /.next/

.goreleaser.yaml

@@ -7,28 +7,37 @@
 #     # you may remove this if you don't need go generate
 #     - cd cli && go generate ./...
 builds:
-  - env:
-      - CGO_ENABLED=0
+  - id: darwin-build
     binary: infisical
-    id: infisical
+    env:
+      - CGO_ENABLED=1
+      - CC=/home/runner/work/osxcross/target/bin/o64-clang
+      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
     goos:
       - darwin
+    ignore:
+      - goos: darwin
+        goarch: "386"
+    dir: ./cli
+  - id: all-other-builds
+    env:
+      - CGO_ENABLED=0
+    binary: infisical
+    goos:
       - freebsd
       - linux
       - netbsd
       - openbsd
       - windows
     goarch:
-      - 386
+      - "386"
       - amd64
       - arm
       - arm64
     goarm:
-      - 6
-      - 7
+      - "6"
+      - "7"
     ignore:
-      - goos: darwin
-        goarch: "386"
       - goos: windows
         goarch: "386"
       - goos: freebsd
@@ -71,16 +80,17 @@ nfpms:
 - id: infisical
   package_name: infisical
   builds:
-    - infisical
+    - all-other-builds
   vendor: Infisical, Inc
   homepage: https://infisical.com/
   maintainer: Infisical, Inc
   description: The offical Infisical CLI
-  license: Apache 2.0
+  license: MIT
   formats:
   - rpm
   - deb
   - apk
+  - archlinux
   bindir: /usr/bin
 scoop:
   bucket:
@@ -91,7 +101,23 @@ scoop:
     email: ai@infisical.com
   homepage: "https://infisical.com"
   description: "The official Infisical CLI"
-  license: Apache-2.0
+  license: MIT
+aurs:
+  -
+    name: infisical-bin
+    homepage: "https://infisical.com"
+    description: "The official Infisical CLI"
+    maintainers:
+      - Infisical, Inc <support@infisical.com>
+    license: MIT
+    private_key: '{{ .Env.AUR_KEY }}'
+    git_url: 'ssh://aur@aur.archlinux.org/infisical-bin.git'
+    package: |-
+      # bin
+      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
+      # license
+      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
+
 # dockers:
 #   - dockerfile: goreleaser.dockerfile
 #     goos: linux

.husky/pre-commit

@@ -0,0 +1,5 @@
+
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx lint-staged

README.md

@@ -1,5 +1,5 @@
 <h1 align="center">
-  <img width="300" src="/img/logoname-black.svg#gh-light-mode-only" alt="ifnisical">
+  <img width="300" src="/img/logoname-black.svg#gh-light-mode-only" alt="infisical">
   <img width="300" src="/img/logoname-white.svg#gh-dark-mode-only" alt="infisical">
 </h1>
 <p align="center">
@@ -27,6 +27,9 @@
   <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">
     <img src="https://img.shields.io/badge/chat-on%20Slack-blueviolet" alt="Slack community channel" />
   </a>
+  <a href="https://twitter.com/infisical">
+    <img src="https://img.shields.io/twitter/follow/infisical?label=Follow" alt="Infisical Twitter" />
+  </a>
 </h4>
 
 <img src="/img/infisical_github_repo.png" width="100%" alt="Dashboard" />
@@ -48,13 +51,19 @@
 
 And more.
 
-## Get started
+## 🚀 Get started
 
 To quickly get started, visit our [get started guide](https://infisical.com/docs/getting-started/introduction).
 
-## What's cool about this?
+<p>
+  <a href="https://infisical.com/docs/self-hosting/overview" target="_blank"><img src="https://user-images.githubusercontent.com/78047717/206356882-2b773eed-b0da-4725-ae2f-83e3cd7f2713.png" height=120 /> </a>
+  <a href="https://www.youtube.com/watch?v=JS3OKYU2078" target="_blank"><img src="https://user-images.githubusercontent.com/78047717/206356600-8833b128-6cae-408c-a703-07b2fc6aff4b.png" height=120 /> </a>
+  <a href="https://app.infisical.com/signup" target="_blank"><img src="https://user-images.githubusercontent.com/78047717/206355970-f4c09062-b88f-452a-94e0-9c61a0651170.png" height=120></a>
+</p>
 
-Infisical makes secret management simple and end-to-end encrypted by default. We're on a mission to make it more accessible to all developers, <i>not just security teams</i>. 
+## 🔥 What's cool about this?
+
+Infisical makes secret management simple and end-to-end encrypted by default. We're on a mission to make it more accessible to all developers, <i>not just security teams</i>.
 
 According to a [report](https://www.ekransystem.com/en/blog/secrets-management) in 2019, only 10% of organizations use secret management solutions despite all using digital secrets to some extent.
 
@@ -62,20 +71,23 @@ If you care about efficiency and security, then Infisical is right for you.
 
 We are currently working hard to make Infisical more extensive. Need any integrations or want a new feature? Feel free to [create an issue](https://github.com/Infisical/infisical/issues) or [contribute](https://infisical.com/docs/contributing/overview) directly to the repository.
 
-## Contributing
+## 🌱 Contributing
 
 Whether it's big or small, we love contributions ❤️ Check out our guide to see how to [get started](https://infisical.com/docs/contributing/overview).
 
-Not sure where to get started? [Book a free, non-pressure pairing sessions with one of our teammates](mailto:tony@infisical.com?subject=Pairing%20session&body=I'd%20like%20to%20do%20a%20pairing%20session!)!
+Not sure where to get started? You can:
 
-## Community & Support
+- [Book a free, non-pressure pairing sessions with one of our teammates](mailto:tony@infisical.com?subject=Pairing%20session&body=I'd%20like%20to%20do%20a%20pairing%20session!)!
+- Join our <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">Slack</a>, and ask us any questions there.
+
+## 💚 Community & Support
 
 - [Slack](https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g) (For live discussion with the community and the Infisical team)
 - [GitHub Discussions](https://github.com/Infisical/infisical/discussions) (For help with building and deeper conversations about features)
 - [GitHub Issues](https://github.com/Infisical/infisical-cli/issues) (For any bugs and errors you encounter using Infisical)
-- [Twitter](https://twitter.com/infisical) (Get news fast) 
+- [Twitter](https://twitter.com/infisical) (Get news fast)
 
-## Status
+## 🐥 Status
 
 - [x] Public Alpha: Anyone can sign up over at [infisical.com](https://infisical.com) but go easy on us, there are kinks and we're just getting started.
 - [ ] Public Beta: Stable enough for most non-enterprise use-cases.
@@ -83,13 +95,7 @@ Not sure where to get started? [Book a free, non-pressure pairing sessions with
 
 We're currently in Public Alpha.
 
-## Stay Up-to-Date
-
-Infisical officially launched as v.1.0 on November 21st, 2022. However, a lot of new features are coming very quickly. Watch **releases** of this repository to be notified about future updates:
-
-![infisical-star-github](https://github.com/Infisical/infisical/blob/main/.github/images/star-infisical.gif?raw=true)
-
-## Integrations
+## 🔌 Integrations
 
 We're currently setting the foundation and building [integrations](https://infisical.com/docs/integrations/overview) so secrets can be synced everywhere. Any help is welcome! :)
 
@@ -122,10 +128,14 @@ We're currently setting the foundation and building [integrations](https://infis
     </tr>
     <tr>
       <td align="left" valign="middle">
-        🔜 Vercel (https://github.com/Infisical/infisical/issues/60)
+        <a href="https://infisical.com/docs/integrations/cloud/vercel?ref=github.com">
+          ✔️ Vercel
+        </a>
       </td>
       <td align="left" valign="middle">
-        🔜 GitLab CI/CD
+        <a href="https://infisical.com/docs/integrations/platforms/kubernetes?ref=github.com">
+          ✔️ Kubernetes
+        </a>
       </td>
       <td align="left" valign="middle">
         🔜 Fly.io
@@ -136,7 +146,9 @@ We're currently setting the foundation and building [integrations](https://infis
         🔜 AWS
       </td>
       <td align="left" valign="middle">
-        🔜 GitHub Actions (https://github.com/Infisical/infisical/issues/54)
+        <a href="https://infisical.com/docs/integrations/cicd/githubactions">
+          ✔️ GitHub Actions
+        </a>
       </td>
       <td align="left" valign="middle">
          🔜 Railway
@@ -147,10 +159,10 @@ We're currently setting the foundation and building [integrations](https://infis
         🔜 GCP
       </td>
       <td align="left" valign="middle">
-        🔜 Kubernetes
+        🔜 GitLab CI/CD (https://github.com/Infisical/infisical/issues/134)
       </td>
       <td align="left" valign="middle">
-        🔜 CircleCI
+        🔜 CircleCI (https://github.com/Infisical/infisical/issues/91)
       </td>
     </tr>
     <tr>
@@ -169,7 +181,23 @@ We're currently setting the foundation and building [integrations](https://infis
          🔜 TravisCI
       </td>
       <td align="left" valign="middle">
-         🔜 Netlify (https://github.com/Infisical/infisical/issues/55)
+        <a href="https://infisical.com/docs/integrations/cloud/netlify">
+          ✔️ Netlify
+        </a>
+      </td>
+      <td align="left" valign="middle">
+         🔜 Railway
+      </td>
+    </tr>
+    <tr>
+      <td align="left" valign="middle">
+         🔜 Bitbucket
+      </td>
+      <td align="left" valign="middle">
+         🔜 Supabase
+      </td>
+      <td align="left" valign="middle">
+         🔜 Render (https://github.com/Infisical/infisical/issues/132)
       </td>
     </tr>
   </tbody>
@@ -178,7 +206,6 @@ We're currently setting the foundation and building [integrations](https://infis
   </td>
 <td>
 
-
 <table>
   <tbody>
     <tr>
@@ -253,6 +280,18 @@ We're currently setting the foundation and building [integrations](https://infis
         </a>
       </td>
     </tr>
+    <tr>
+      <td align="left" valign="middle">
+        <a href="https://infisical.com/docs/integrations/frameworks/fiber?ref=github.com">
+          ✔️ Fiber
+        </a>
+      </td>
+      <td align="left" valign="middle">
+        <a href="https://infisical.com/docs/integrations/frameworks/nuxt?ref=github.com">
+          ✔️ Nuxt
+        </a>
+      </td>
+    </tr>
   </tbody>
 </table>
 
@@ -260,16 +299,21 @@ We're currently setting the foundation and building [integrations](https://infis
 </tr> 
 </table>
 
-
-## Open-source vs. paid
+## 🏘 Open-source vs. paid
 
 This repo is entirely MIT licensed, with the exception of the `ee` directory which will contain premium enterprise features requiring a Infisical license in the future. We're currently focused on developing non-enterprise offerings first that should suit most use-cases.
 
-## Security
+## 🛡 Security
 
 Looking to report a security vulnerability? Please don't post about it in GitHub issue. Instead, refer to our [SECURITY.md](./SECURITY.md) file.
 
-## Contributors 🦸
+## 🚨 Stay Up-to-Date
+
+Infisical officially launched as v.1.0 on November 21st, 2022. However, a lot of new features are coming very quickly. Watch **releases** of this repository to be notified about future updates:
+
+![infisical-star-github](https://github.com/Infisical/infisical/blob/main/.github/images/star-infisical.gif?raw=true)
+
+## 🦸 Contributors
 
 [//]: contributor-faces
 
@@ -277,4 +321,4 @@ Looking to report a security vulnerability? Please don't post about it in GitHub
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable -->
 
-<a href="https://github.com/dangtony98"><img src="https://avatars.githubusercontent.com/u/25857006?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/mv-turtle"><img src="https://avatars.githubusercontent.com/u/78047717?s=96&v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/maidul98"><img src="https://avatars.githubusercontent.com/u/9300960?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/gangjun06"><img src="https://avatars.githubusercontent.com/u/50910815?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/reginaldbondoc"><img src="https://avatars.githubusercontent.com/u/7693108?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/SH5H"><img src="https://avatars.githubusercontent.com/u/25437192?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/hanywang2"><img src="https://avatars.githubusercontent.com/u/44352119?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/tobias-mintlify"><img src="https://avatars.githubusercontent.com/u/110702161?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/0xflotus"><img src="https://avatars.githubusercontent.com/u/26602940?v=4" width="50" height="50" alt=""/></a> 
+<a href="https://github.com/dangtony98"><img src="https://avatars.githubusercontent.com/u/25857006?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/mv-turtle"><img src="https://avatars.githubusercontent.com/u/78047717?s=96&v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/maidul98"><img src="https://avatars.githubusercontent.com/u/9300960?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/gangjun06"><img src="https://avatars.githubusercontent.com/u/50910815?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/reginaldbondoc"><img src="https://avatars.githubusercontent.com/u/7693108?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/SH5H"><img src="https://avatars.githubusercontent.com/u/25437192?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/gmgale"><img src="https://avatars.githubusercontent.com/u/62303146?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/asharonbaltazar"><img src="https://avatars.githubusercontent.com/u/58940073?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/edgarrmondragon"><img src="https://avatars.githubusercontent.com/u/16805946?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/arjunyel"><img src="https://avatars.githubusercontent.com/u/11153289?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/LemmyMwaura"><img src="https://avatars.githubusercontent.com/u/20738858?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/Zamion101"><img src="https://avatars.githubusercontent.com/u/8071263?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/akhilmhdh"><img src="https://avatars.githubusercontent.com/u/31166322?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/naorpeled"><img src="https://avatars.githubusercontent.com/u/6171622?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/jonerrr"><img src="https://avatars.githubusercontent.com/u/73760377?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/adrianmarinwork"><img src="https://avatars.githubusercontent.com/u/118568289?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/arthurzenika"><img src="https://avatars.githubusercontent.com/u/445200?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/hanywang2"><img src="https://avatars.githubusercontent.com/u/44352119?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/tobias-mintlify"><img src="https://avatars.githubusercontent.com/u/110702161?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/wjhurley"><img src="https://avatars.githubusercontent.com/u/15939055?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/0xflotus"><img src="https://avatars.githubusercontent.com/u/26602940?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/wanjohiryan"><img src="https://avatars.githubusercontent.com/u/71614375?v=4" width="50" height="50" alt=""/></a>

backend/.eslintrc

@@ -1,18 +1,12 @@
 {
-    "root": true,
-    "parser": "@typescript-eslint/parser",
-    "plugins": [
-      "@typescript-eslint",
-      "prettier"
-    ],
-    "extends": [
-      "eslint:recommended",
-      "plugin:@typescript-eslint/eslint-recommended",
-      "plugin:@typescript-eslint/recommended",
-      "prettier"
-    ],
-    "rules": {
-      "no-console": 2,
-      "prettier/prettier": 2
-    }
-}
+  "parser": "@typescript-eslint/parser",
+  "plugins": ["@typescript-eslint"],
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/eslint-recommended",
+    "plugin:@typescript-eslint/recommended"
+  ],
+  "rules": {
+    "no-console": 2
+  }
+}

backend/.prettierrc

@@ -1,7 +0,0 @@
-{
-    "semi": true,
-    "trailingComma": "none",
-    "singleQuote": true,
-    "printWidth": 80,
-		"useTabs": true
-  }

backend/Dockerfile

@@ -2,11 +2,14 @@ FROM node:16-bullseye-slim
 
 WORKDIR /app
 
-COPY package*.json .
+COPY package.json package-lock.json ./
 
-RUN npm install
+RUN npm ci --only-production --ignore-scripts
 
 COPY . .
 
-CMD ["npm", "run", "start"]
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
+  CMD node healthcheck.js
 
+
+CMD ["npm", "run", "start"]

backend/__tests__/healthcheck.test.ts

@@ -0,0 +1,19 @@
+import { server } from '../src/app';
+import { describe, expect, it, beforeAll, afterAll } from '@jest/globals';
+import supertest from 'supertest';
+import { setUpHealthEndpoint } from '../src/services/health';
+
+const requestWithSupertest = supertest(server);
+describe('Healthcheck endpoint', () => {
+  beforeAll(async () => {
+    setUpHealthEndpoint(server);
+  });
+  afterAll(async () => {
+    server.close();
+  });
+
+  it('GET /healthcheck should return OK', async () => {
+    const res = await requestWithSupertest.get('/healthcheck');
+    expect(res.status).toEqual(200);
+  });
+});

backend/environment.d.ts

@@ -14,12 +14,16 @@ declare global {
 			JWT_SIGNUP_SECRET: string;
       MONGO_URL: string;
       NODE_ENV: 'development' | 'staging' | 'testing' | 'production';
-      OAUTH_CLIENT_SECRET_HEROKU: string;
-      OAUTH_TOKEN_URL_HEROKU: string;
+      VERBOSE_ERROR_OUTPUT: string;
+      LOKI_HOST: string;
+      CLIENT_ID_HEROKU: string;
+      CLIENT_ID_VERCEL: string;
+      CLIENT_ID_NETLIFY: string;
+      CLIENT_SECRET_HEROKU: string;
+      CLIENT_SECRET_VERCEL: string;
+      CLIENT_SECRET_NETLIFY: string;
 			POSTHOG_HOST: string;
 			POSTHOG_PROJECT_API_KEY: string;
-      PRIVATE_KEY: string;
-      PUBLIC_KEY: string;
       SENTRY_DSN: string;
       SITE_URL: string;
       SMTP_HOST: string;

backend/healthcheck.js

@@ -0,0 +1,24 @@
+const http = require('http');
+const PORT = process.env.PORT || 4000;
+const options = {
+  host: 'localhost',
+  port: PORT,
+  timeout: 2000,
+  path: '/healthcheck'
+};
+
+const healthCheck = http.request(options, (res) => {
+  console.log(`HEALTHCHECK STATUS: ${res.statusCode}`);
+  if (res.statusCode == 200) {
+    process.exit(0);
+  } else {
+    process.exit(1);
+  }
+});
+
+healthCheck.on('error', function (err) {
+  console.error(`HEALTH CHECK ERROR: ${err}`);
+  process.exit(1);
+});
+
+healthCheck.end();

backend/package.json

@@ -1,8 +1,11 @@
 {
   "dependencies": {
+    "@godaddy/terminus": "^4.11.2",
+    "@octokit/rest": "^19.0.5",
     "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
     "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
     "axios": "^1.1.3",
     "bigint-conversion": "^2.2.2",
     "cookie-parser": "^1.4.6",
@@ -10,32 +13,40 @@
     "crypto-js": "^4.1.1",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
-    "express-rate-limit": "^6.5.1",
+    "express-rate-limit": "^6.7.0",
     "express-validator": "^6.14.2",
     "handlebars": "^4.7.7",
     "helmet": "^5.1.1",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "jsrp": "^0.2.4",
-    "mongoose": "^6.7.1",
+    "libsodium-wrappers": "^0.7.10",
+    "mongoose": "^6.7.2",
     "nodemailer": "^6.8.0",
-    "posthog-node": "^2.1.0",
-    "query-string": "^7.1.1",
+    "posthog-node": "^2.2.2",
+    "query-string": "^7.1.3",
     "rimraf": "^3.0.2",
     "stripe": "^10.7.0",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.8.4"
+    "typescript": "^4.9.3",
+    "winston": "^3.8.2",
+    "winston-loki": "^6.0.6"
   },
   "name": "infisical-api",
   "version": "1.0.0",
   "main": "src/index.js",
   "scripts": {
+    "prepare": "cd .. && npm install",
     "start": "npm run build && node build/index.js",
     "dev": "nodemon",
-    "build": "rimraf ./build && tsc && cp -R ./src/templates ./src/json ./build",
+    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
     "lint": "eslint . --ext .ts",
     "lint-and-fix": "eslint . --ext .ts --fix",
-    "prettier-format": "prettier --config .prettierrc 'src/**/*.ts' --write"
+    "lint-staged": "lint-staged",
+    "pretest": "docker compose -f test-resources/docker-compose.test.yml up -d",
+    "test": "cross-env NODE_ENV=test jest --testTimeout=10000 --detectOpenHandles",
+    "test:ci": "npm test -- --watchAll=false --ci --reporters=default --reporters=jest-junit --reporters=github-actions --coverage --testLocationInResults --json --outputFile=coverage/report.json",
+    "posttest": "docker compose -f test-resources/docker-compose.test.yml down"
   },
   "repository": {
     "type": "git",
@@ -49,26 +60,49 @@
   "homepage": "https://github.com/Infisical/infisical-api#readme",
   "description": "",
   "devDependencies": {
+    "@jest/globals": "^29.3.1",
     "@posthog/plugin-scaffold": "^1.3.4",
     "@types/cookie-parser": "^1.4.3",
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.14",
+    "@types/jest": "^29.2.4",
     "@types/jsonwebtoken": "^8.5.9",
     "@types/node": "^18.11.3",
     "@types/nodemailer": "^6.4.6",
+    "@types/supertest": "^2.0.12",
     "@types/swagger-jsdoc": "^6.0.1",
     "@types/swagger-ui-express": "^4.1.3",
     "@typescript-eslint/eslint-plugin": "^5.40.1",
     "@typescript-eslint/parser": "^5.40.1",
+    "cross-env": "^7.0.3",
     "eslint": "^8.26.0",
-    "eslint-config-prettier": "^8.5.0",
-    "eslint-plugin-prettier": "^4.2.1",
-    "husky": "^8.0.1",
     "install": "^0.13.0",
     "jest": "^29.3.1",
+    "jest-junit": "^15.0.0",
     "nodemon": "^2.0.19",
     "npm": "^8.19.3",
-    "prettier": "^2.7.1",
+    "supertest": "^6.3.3",
+    "ts-jest": "^29.0.3",
     "ts-node": "^10.9.1"
+  },
+  "jest": {
+    "preset": "ts-jest",
+    "testEnvironment": "node",
+    "collectCoverageFrom": [
+      "src/*.{js,ts}",
+      "!**/node_modules/**"
+    ],
+    "setupFiles": [
+      "<rootDir>/test-resources/env-vars.js"
+    ]
+  },
+  "jest-junit": {
+    "outputDirectory": "reports",
+    "outputName": "jest-junit.xml",
+    "ancestorSeparator": " › ",
+    "uniqueOutputName": "false",
+    "suiteNameTemplate": "{filepath}",
+    "classNameTemplate": "{classname}",
+    "titleTemplate": "{title}"
   }
 }

backend/src/app.ts

@@ -0,0 +1,102 @@
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { patchRouterParam } = require('./utils/patchAsyncRoutes');
+
+import express from 'express';
+import helmet from 'helmet';
+import cors from 'cors';
+import cookieParser from 'cookie-parser';
+import dotenv from 'dotenv';
+
+dotenv.config();
+import { PORT, NODE_ENV, SITE_URL } from './config';
+import { apiLimiter } from './helpers/rateLimiter';
+
+import {
+  workspace as eeWorkspaceRouter,
+  secret as eeSecretRouter
+} from './ee/routes';
+
+import {
+  signup as signupRouter,
+  auth as authRouter,
+  bot as botRouter,
+  organization as organizationRouter,
+  workspace as workspaceRouter,
+  membershipOrg as membershipOrgRouter,
+  membership as membershipRouter,
+  key as keyRouter,
+  inviteOrg as inviteOrgRouter,
+  user as userRouter,
+  userAction as userActionRouter,
+  secret as secretRouter,
+  serviceToken as serviceTokenRouter,
+  password as passwordRouter,
+  stripe as stripeRouter,
+  integration as integrationRouter,
+  integrationAuth as integrationAuthRouter
+} from './routes';
+
+import { getLogger } from './utils/logger';
+import { RouteNotFoundError } from './utils/errors';
+import { requestErrorHandler } from './middleware/requestErrorHandler';
+
+// patch async route params to handle Promise Rejections
+patchRouterParam();
+
+export const app = express();
+
+app.enable('trust proxy');
+app.use(express.json());
+app.use(cookieParser());
+app.use(
+  cors({
+    credentials: true,
+    origin: SITE_URL
+  })
+);
+
+if (NODE_ENV === 'production') {
+  // enable app-wide rate-limiting + helmet security
+  // in production
+  app.disable('x-powered-by');
+  app.use(apiLimiter);
+  app.use(helmet());
+}
+
+// /ee routers
+app.use('/api/v1/secret', eeSecretRouter);
+app.use('/api/v1/workspace', eeWorkspaceRouter);
+
+// routers
+app.use('/api/v1/signup', signupRouter);
+app.use('/api/v1/auth', authRouter);
+app.use('/api/v1/bot', botRouter);
+app.use('/api/v1/user', userRouter);
+app.use('/api/v1/user-action', userActionRouter);
+app.use('/api/v1/organization', organizationRouter);
+app.use('/api/v1/workspace', workspaceRouter);
+app.use('/api/v1/membership-org', membershipOrgRouter);
+app.use('/api/v1/membership', membershipRouter);
+app.use('/api/v1/key', keyRouter);
+app.use('/api/v1/invite-org', inviteOrgRouter);
+app.use('/api/v1/secret', secretRouter);
+app.use('/api/v1/service-token', serviceTokenRouter);
+app.use('/api/v1/password', passwordRouter);
+app.use('/api/v1/stripe', stripeRouter);
+app.use('/api/v1/integration', integrationRouter);
+app.use('/api/v1/integration-auth', integrationAuthRouter);
+
+
+//* Handle unrouted requests and respond with proper error message as well as status code
+app.use((req, res, next)=>{
+  if(res.headersSent) return next();
+  next(RouteNotFoundError({message: `The requested source '(${req.method})${req.url}' was not found`}))
+})
+
+//* Error Handling Middleware (must be after all routing logic)
+app.use(requestErrorHandler)
+
+
+export const server = app.listen(PORT, () => {
+  getLogger("backend-main").info(`Server started listening at port ${PORT}`)
+});

backend/src/config/index.ts

@@ -10,56 +10,80 @@ const JWT_SIGNUP_LIFETIME = process.env.JWT_SIGNUP_LIFETIME! || '15m';
 const JWT_SIGNUP_SECRET = process.env.JWT_SIGNUP_SECRET!;
 const MONGO_URL = process.env.MONGO_URL!;
 const NODE_ENV = process.env.NODE_ENV! || 'production';
-const OAUTH_CLIENT_SECRET_HEROKU = process.env.OAUTH_CLIENT_SECRET_HEROKU!;
-const OAUTH_TOKEN_URL_HEROKU = process.env.OAUTH_TOKEN_URL_HEROKU!;
+const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
+const LOKI_HOST = process.env.LOKI_HOST || undefined;
+const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
+const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
+const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
+const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
+const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
+const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
+const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
+const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
+const CLIENT_SLUG_VERCEL= process.env.CLIENT_SLUG_VERCEL!;
 const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
-const POSTHOG_PROJECT_API_KEY = process.env.POSTHOG_PROJECT_API_KEY! || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-const PRIVATE_KEY = process.env.PRIVATE_KEY!;
-const PUBLIC_KEY = process.env.PUBLIC_KEY!;
+const POSTHOG_PROJECT_API_KEY =
+  process.env.POSTHOG_PROJECT_API_KEY! ||
+  'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
 const SENTRY_DSN = process.env.SENTRY_DSN!;
 const SITE_URL = process.env.SITE_URL!;
-const SMTP_HOST = process.env.SMTP_HOST! || 'smtp.gmail.com';
-const SMTP_NAME = process.env.SMTP_NAME!;
+const SMTP_HOST = process.env.SMTP_HOST!;
+const SMTP_SECURE = process.env.SMTP_SECURE! === 'true' || false;
+const SMTP_PORT = parseInt(process.env.SMTP_PORT!) || 587;
 const SMTP_USERNAME = process.env.SMTP_USERNAME!;
 const SMTP_PASSWORD = process.env.SMTP_PASSWORD!;
+const SMTP_FROM_ADDRESS = process.env.SMTP_FROM_ADDRESS!;
+const SMTP_FROM_NAME = process.env.SMTP_FROM_NAME! || 'Infisical';
 const STRIPE_PRODUCT_CARD_AUTH = process.env.STRIPE_PRODUCT_CARD_AUTH!;
 const STRIPE_PRODUCT_PRO = process.env.STRIPE_PRODUCT_PRO!;
 const STRIPE_PRODUCT_STARTER = process.env.STRIPE_PRODUCT_STARTER!;
 const STRIPE_PUBLISHABLE_KEY = process.env.STRIPE_PUBLISHABLE_KEY!;
 const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY!;
 const STRIPE_WEBHOOK_SECRET = process.env.STRIPE_WEBHOOK_SECRET!;
-const TELEMETRY_ENABLED = (process.env.TELEMETRY_ENABLED! !== 'false') && true;
+const TELEMETRY_ENABLED = process.env.TELEMETRY_ENABLED! !== 'false' && true;
+const LICENSE_KEY = process.env.LICENSE_KEY!;
 
 export {
-	PORT,
-	EMAIL_TOKEN_LIFETIME,
-	ENCRYPTION_KEY,
-	JWT_AUTH_LIFETIME,
-	JWT_AUTH_SECRET,
-	JWT_REFRESH_LIFETIME,
-	JWT_REFRESH_SECRET,
-	JWT_SERVICE_SECRET,
-	JWT_SIGNUP_LIFETIME,
-	JWT_SIGNUP_SECRET,
-	MONGO_URL,
-	NODE_ENV,
-	OAUTH_CLIENT_SECRET_HEROKU,
-	OAUTH_TOKEN_URL_HEROKU,
-	POSTHOG_HOST,
-	POSTHOG_PROJECT_API_KEY,
-	PRIVATE_KEY,
-	PUBLIC_KEY,
-	SENTRY_DSN,
-	SITE_URL,
-	SMTP_HOST,
-	SMTP_NAME,
-	SMTP_USERNAME,
-	SMTP_PASSWORD,
-	STRIPE_PRODUCT_CARD_AUTH,
-	STRIPE_PRODUCT_PRO,
-	STRIPE_PRODUCT_STARTER,
-	STRIPE_PUBLISHABLE_KEY,
-	STRIPE_SECRET_KEY,
-	STRIPE_WEBHOOK_SECRET,
-	TELEMETRY_ENABLED
+  PORT,
+  EMAIL_TOKEN_LIFETIME,
+  ENCRYPTION_KEY,
+  JWT_AUTH_LIFETIME,
+  JWT_AUTH_SECRET,
+  JWT_REFRESH_LIFETIME,
+  JWT_REFRESH_SECRET,
+  JWT_SERVICE_SECRET,
+  JWT_SIGNUP_LIFETIME,
+  JWT_SIGNUP_SECRET,
+  MONGO_URL,
+  NODE_ENV,
+  VERBOSE_ERROR_OUTPUT,
+  LOKI_HOST,
+  CLIENT_ID_HEROKU,
+  CLIENT_ID_VERCEL,
+  CLIENT_ID_NETLIFY,
+  CLIENT_ID_GITHUB,
+  CLIENT_SECRET_HEROKU,
+  CLIENT_SECRET_VERCEL,
+  CLIENT_SECRET_NETLIFY,
+  CLIENT_SECRET_GITHUB,
+  CLIENT_SLUG_VERCEL,
+  POSTHOG_HOST,
+  POSTHOG_PROJECT_API_KEY,
+  SENTRY_DSN,
+  SITE_URL,
+  SMTP_HOST,
+  SMTP_PORT,
+  SMTP_SECURE,
+  SMTP_USERNAME,
+  SMTP_PASSWORD,
+  SMTP_FROM_ADDRESS,
+  SMTP_FROM_NAME,
+  STRIPE_PRODUCT_CARD_AUTH,
+  STRIPE_PRODUCT_PRO,
+  STRIPE_PRODUCT_STARTER,
+  STRIPE_PUBLISHABLE_KEY,
+  STRIPE_SECRET_KEY,
+  STRIPE_WEBHOOK_SECRET,
+  TELEMETRY_ENABLED,
+  LICENSE_KEY
 };

backend/src/controllers/authController.ts

@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
 import { Request, Response } from 'express';
 import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
@@ -5,17 +6,17 @@ import * as bigintConversion from 'bigint-conversion';
 const jsrp = require('jsrp');
 import { User } from '../models';
 import { createToken, issueTokens, clearTokens } from '../helpers/auth';
-import { 
-	NODE_ENV,
-	JWT_AUTH_LIFETIME, 
-	JWT_AUTH_SECRET,
-	JWT_REFRESH_SECRET
+import {
+  NODE_ENV,
+  JWT_AUTH_LIFETIME,
+  JWT_AUTH_SECRET,
+  JWT_REFRESH_SECRET
 } from '../config';
 
 declare module 'jsonwebtoken' {
-	export interface UserIDJwtPayload extends jwt.JwtPayload {
-		userId: string;
-	}
+  export interface UserIDJwtPayload extends jwt.JwtPayload {
+    userId: string;
+  }
 }
 
 const clientPublicKeys: any = {};
@@ -27,47 +28,45 @@ const clientPublicKeys: any = {};
  * @returns
  */
 export const login1 = async (req: Request, res: Response) => {
-	try {
-		const {
-			email,
-			clientPublicKey
-		}: { email: string; clientPublicKey: string } = req.body;
-		
-		const user = await User.findOne({
-			email
-		}).select('+salt +verifier');
-		
+  try {
+    const {
+      email,
+      clientPublicKey
+    }: { email: string; clientPublicKey: string } = req.body;
 
-		if (!user) throw new Error('Failed to find user');
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier');
 
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier
-			},
-			() => {
-				// generate server-side public key
-				const serverPublicKey = server.getPublicKey();
-				clientPublicKeys[email] = {
-					clientPublicKey,
-					serverBInt: bigintConversion.bigintToBuf(server.bInt)
-				};
-				
+    if (!user) throw new Error('Failed to find user');
 
-				return res.status(200).send({
-					serverPublicKey,
-					salt: user.salt
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to start authentication process'
-		});
-	}
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier
+      },
+      () => {
+        // generate server-side public key
+        const serverPublicKey = server.getPublicKey();
+        clientPublicKeys[email] = {
+          clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt)
+        };
+
+        return res.status(200).send({
+          serverPublicKey,
+          salt: user.salt
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to start authentication process'
+    });
+  }
 };
 
 /**
@@ -78,59 +77,59 @@ export const login1 = async (req: Request, res: Response) => {
  * @returns
  */
 export const login2 = async (req: Request, res: Response) => {
-	try {
-		const { email, clientProof } = req.body;
-		const user = await User.findOne({
-			email
-		}).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
+  try {
+    const { email, clientProof } = req.body;
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier +publicKey +encryptedPrivateKey +iv +tag');
 
-		if (!user) throw new Error('Failed to find user');
+    if (!user) throw new Error('Failed to find user');
 
-		const server = new jsrp.server();
-		server.init(
-			{
-				salt: user.salt,
-				verifier: user.verifier,
-				b: clientPublicKeys[email].serverBInt
-			},
-			async () => {
-				server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier,
+        b: clientPublicKeys[email].serverBInt
+      },
+      async () => {
+        server.setClientPublicKey(clientPublicKeys[email].clientPublicKey);
 
-				// compare server and client shared keys
-				if (server.checkClientProof(clientProof)) {
-					// issue tokens
-					const tokens = await issueTokens({ userId: user._id.toString() });
-					
-					// store (refresh) token in httpOnly cookie
-					res.cookie('jid', tokens.refreshToken, {
-						httpOnly: true,
-						path: '/token',
-						sameSite: "strict",
-						secure: NODE_ENV === 'production' ? true : false
-					});
+        // compare server and client shared keys
+        if (server.checkClientProof(clientProof)) {
+          // issue tokens
+          const tokens = await issueTokens({ userId: user._id.toString() });
 
-					// return (access) token in response
-					return res.status(200).send({
-						token: tokens.token,
-						publicKey: user.publicKey,
-						encryptedPrivateKey: user.encryptedPrivateKey,
-						iv: user.iv,
-						tag: user.tag
-					});
-				}
+          // store (refresh) token in httpOnly cookie
+          res.cookie('jid', tokens.refreshToken, {
+            httpOnly: true,
+            path: '/',
+            sameSite: 'strict',
+            secure: NODE_ENV === 'production' ? true : false
+          });
 
-				return res.status(400).send({
-					message: 'Failed to authenticate. Try again?'
-				});
-			}
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to authenticate. Try again?'
-		});
-	}
+          // return (access) token in response
+          return res.status(200).send({
+            token: tokens.token,
+            publicKey: user.publicKey,
+            encryptedPrivateKey: user.encryptedPrivateKey,
+            iv: user.iv,
+            tag: user.tag
+          });
+        }
+
+        return res.status(400).send({
+          message: 'Failed to authenticate. Try again?'
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to authenticate. Try again?'
+    });
+  }
 };
 
 /**
@@ -140,29 +139,29 @@ export const login2 = async (req: Request, res: Response) => {
  * @returns
  */
 export const logout = async (req: Request, res: Response) => {
-	try {
-		await clearTokens({
-			userId: req.user._id.toString()
-		});
-		
-		// clear httpOnly cookie
-		res.cookie('jid', '', {
-			httpOnly: true,
-			path: '/token',
-			sameSite: "strict",
-			secure: NODE_ENV === 'production' ? true : false
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to logout'
-		});
-	}
+  try {
+    await clearTokens({
+      userId: req.user._id.toString()
+    });
 
-	return res.status(200).send({
-		message: 'Successfully logged out.'
-	});
+    // clear httpOnly cookie
+    res.cookie('jid', '', {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'strict',
+      secure: NODE_ENV === 'production' ? true : false
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to logout'
+    });
+  }
+
+  return res.status(200).send({
+    message: 'Successfully logged out.'
+  });
 };
 
 /**
@@ -172,9 +171,9 @@ export const logout = async (req: Request, res: Response) => {
  * @returns
  */
 export const checkAuth = async (req: Request, res: Response) =>
-	res.status(200).send({
-		message: 'Authenticated'
-	});
+  res.status(200).send({
+    message: 'Authenticated'
+  });
 
 /**
  * Return new token by redeeming refresh token
@@ -183,42 +182,41 @@ export const checkAuth = async (req: Request, res: Response) =>
  * @returns
  */
 export const getNewToken = async (req: Request, res: Response) => {
-	try {
-		const refreshToken = req.cookies.jid;
-		
-		if (!refreshToken) {
-			throw new Error('Failed to find token in request cookies');
-		}
-		
-		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(refreshToken, JWT_REFRESH_SECRET)
-		);
-		
-		const user = await User.findOne({
-			_id: decodedToken.userId
-		}).select('+publicKey');
+  try {
+    const refreshToken = req.cookies.jid;
 
-		if (!user) throw new Error('Failed to authenticate unfound user');
-		if (!user?.publicKey)
-			throw new Error('Failed to authenticate not fully set up account');
-		
-		const token = createToken({
-			payload: {
-				userId: decodedToken.userId
-			},
-			expiresIn: JWT_AUTH_LIFETIME,
-			secret: JWT_AUTH_SECRET
-		});
-		
-		return res.status(200).send({
-			token
-		});
-		
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Invalid request'
-		});
-	}
+    if (!refreshToken) {
+      throw new Error('Failed to find token in request cookies');
+    }
+
+    const decodedToken = <jwt.UserIDJwtPayload>(
+      jwt.verify(refreshToken, JWT_REFRESH_SECRET)
+    );
+
+    const user = await User.findOne({
+      _id: decodedToken.userId
+    }).select('+publicKey');
+
+    if (!user) throw new Error('Failed to authenticate unfound user');
+    if (!user?.publicKey)
+      throw new Error('Failed to authenticate not fully set up account');
+
+    const token = createToken({
+      payload: {
+        userId: decodedToken.userId
+      },
+      expiresIn: JWT_AUTH_LIFETIME,
+      secret: JWT_AUTH_SECRET
+    });
+
+    return res.status(200).send({
+      token
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Invalid request'
+    });
+  }
 };

backend/src/controllers/botController.ts

@@ -0,0 +1,107 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Bot, BotKey } from '../models';
+import { createBot } from '../helpers/bot';
+
+interface BotKey {
+    encryptedKey: string;
+    nonce: string;
+}
+
+/**
+ * Return bot for workspace with id [workspaceId]. If a workspace bot doesn't exist,
+ * then create and return a new bot.
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getBotByWorkspaceId = async (req: Request, res: Response) => {
+    let bot;
+	try {
+        const { workspaceId } = req.params;
+
+        bot = await Bot.findOne({
+            workspace: workspaceId
+        });
+        
+        if (!bot) {
+            // case: bot doesn't exist for workspace with id [workspaceId]
+            // -> create a new bot and return it
+            bot = await createBot({
+                name: 'Infisical Bot',
+                workspaceId
+            });
+        }
+	} catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+        return res.status(400).send({
+			message: 'Failed to get bot for workspace'
+		});
+	}
+    
+    return res.status(200).send({
+        bot
+    });
+};
+
+/**
+ * Return bot with id [req.bot._id] with active state set to [isActive].
+ * @param req
+ * @param res
+ * @returns
+ */
+export const setBotActiveState = async (req: Request, res: Response) => {
+    let bot;
+	try {
+        const { isActive, botKey }: { isActive: boolean, botKey: BotKey } = req.body;
+        
+        if (isActive) {
+            // bot state set to active -> share workspace key with bot
+            if (!botKey?.encryptedKey || !botKey?.nonce) {
+                return res.status(400).send({
+                    message: 'Failed to set bot state to active - missing bot key'
+                });
+            }
+            
+            await BotKey.findOneAndUpdate({
+                workspace: req.bot.workspace
+            }, {
+                encryptedKey: botKey.encryptedKey,
+                nonce: botKey.nonce,
+                sender: req.user._id,
+                bot: req.bot._id,
+                workspace: req.bot.workspace
+            }, {
+                upsert: true,
+                new: true
+            });
+        } else {
+            // case: bot state set to inactive -> delete bot's workspace key
+            await BotKey.deleteOne({
+                bot: req.bot._id
+            });
+        }
+
+        bot = await Bot.findOneAndUpdate({
+            _id: req.bot._id
+        }, {
+            isActive
+        }, {
+            new: true
+        });
+        
+        if (!bot) throw new Error('Failed to update bot active state');
+        
+	} catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+        return res.status(400).send({
+			message: 'Failed to update bot active state'
+		});
+	}
+    
+    return res.status(200).send({
+        bot
+    });
+};

backend/src/controllers/index.ts

@@ -1,4 +1,5 @@
 import * as authController from './authController';
+import * as botController from './botController';
 import * as integrationAuthController from './integrationAuthController';
 import * as integrationController from './integrationController';
 import * as keyController from './keyController';
@@ -16,6 +17,7 @@ import * as workspaceController from './workspaceController';
 
 export {
 	authController,
+	botController,
 	integrationAuthController,
 	integrationController,
 	keyController,

backend/src/controllers/integrationAuthController.ts

@@ -3,69 +3,45 @@ import * as Sentry from '@sentry/node';
 import axios from 'axios';
 import { readFileSync } from 'fs';
 import { IntegrationAuth, Integration } from '../models';
-import { processOAuthTokenRes } from '../helpers/integrationAuth';
-import { INTEGRATION_SET, ENV_DEV } from '../variables';
-import { OAUTH_CLIENT_SECRET_HEROKU, OAUTH_TOKEN_URL_HEROKU } from '../config';
+import { INTEGRATION_SET, INTEGRATION_OPTIONS, ENV_DEV } from '../variables';
+import { IntegrationService } from '../services';
+import { getApps, revokeAccess } from '../integrations';
+
+export const getIntegrationOptions = async (
+	req: Request,
+	res: Response
+) => {
+	return res.status(200).send({
+		integrationOptions: INTEGRATION_OPTIONS
+	});
+}
 
 /**
  * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
- * Note: integration [integration] must be set up compatible/designed for OAuth2
  * @param req
  * @param res
  * @returns
  */
-export const integrationAuthOauthExchange = async (
+export const oAuthExchange = async (
 	req: Request,
 	res: Response
 ) => {
 	try {
-		let clientSecret;
-
 		const { workspaceId, code, integration } = req.body;
 
 		if (!INTEGRATION_SET.has(integration))
 			throw new Error('Failed to validate integration');
-
-		// use correct client secret
-		switch (integration) {
-			case 'heroku':
-				clientSecret = OAUTH_CLIENT_SECRET_HEROKU;
-		}
-
-		// TODO: unfinished - make compatible with other integration types
-		const res = await axios.post(
-			OAUTH_TOKEN_URL_HEROKU!,
-			new URLSearchParams({
-				grant_type: 'authorization_code',
-				code: code,
-				client_secret: clientSecret
-			} as any)
-		);
-
-		const integrationAuth = await processOAuthTokenRes({
+	
+		await IntegrationService.handleOAuthExchange({
 			workspaceId,
 			integration,
-			res
+			code
 		});
-
-		// create or replace integration
-		const integrationObj = await Integration.findOneAndUpdate(
-			{ workspace: workspaceId, integration },
-			{
-				workspace: workspaceId,
-				environment: ENV_DEV,
-				isActive: false,
-				app: null,
-				integration,
-				integrationAuth: integrationAuth._id
-			},
-			{ upsert: true, new: true }
-		);
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
-			message: 'Failed to get OAuth2 token'
+			message: 'Failed to get OAuth2 code-token exchange'
 		});
 	}
 
@@ -75,26 +51,25 @@ export const integrationAuthOauthExchange = async (
 };
 
 /**
- * Return list of applications allowed for integration with id [integrationAuthId]
+ * Return list of applications allowed for integration with integration authorization id [integrationAuthId]
  * @param req
  * @param res
  * @returns
  */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-	// TODO: unfinished - make compatible with other integration types
 	let apps;
 	try {
-		const res = await axios.get('https://api.heroku.com/apps', {
-			headers: {
-				Accept: 'application/vnd.heroku+json; version=3',
-				Authorization: 'Bearer ' + req.accessToken
-			}
+		apps = await getApps({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
 		});
-
-		apps = res.data.map((a: any) => ({
-			name: a.name
-		}));
-	} catch (err) {}
+	} catch (err) {
+		Sentry.setUser(null);
+        Sentry.captureException(err);	
+		return res.status(400).send({
+			message: 'Failed to get integration authorization applications'
+		});
+	}
 
 	return res.status(200).send({
 		apps
@@ -108,46 +83,22 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
  * @returns
  */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-	// TODO: unfinished - disable application via Heroku API and make compatible with other integration types
 	try {
 		const { integrationAuthId } = req.params;
 
-		// TODO: disable application via Heroku API; figure out what authorization id is
-
-		const integrations = JSON.parse(
-			readFileSync('./src/json/integrations.json').toString()
-		);
-
-		let authorizationId;
-		switch (req.integrationAuth.integration) {
-			case 'heroku':
-				authorizationId = integrations.heroku.clientId;
-		}
-
-		// not sure what authorizationId is?
-		// // revoke authorization
-		// const res2 = await axios.delete(
-		//   `https://api.heroku.com/oauth/authorizations/${authorizationId}`,
-		//   {
-		//     headers: {
-		//         'Accept': 'application/vnd.heroku+json; version=3',
-		//         'Authorization': 'Bearer ' + req.accessToken
-		//     }
-		//   }
-		// );
-
-		const deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
-			_id: integrationAuthId
+		await revokeAccess({
+			integrationAuth: req.integrationAuth,
+			accessToken: req.accessToken
 		});
-
-		if (deletedIntegrationAuth) {
-			await Integration.deleteMany({
-				integrationAuth: deletedIntegrationAuth._id
-			});
-		}
 	} catch (err) {
+		Sentry.setUser(null);
+        Sentry.captureException(err);	
 		return res.status(400).send({
 			message: 'Failed to delete integration authorization'
 		});
 	}
-};
+	
+	return res.status(200).send({
+		message: 'Successfully deleted integration authorization'
+	});
+}

backend/src/controllers/integrationController.ts

@@ -1,11 +1,9 @@
 import { Request, Response } from 'express';
 import { readFileSync } from 'fs';
 import * as Sentry from '@sentry/node';
-import axios from 'axios';
-import { Integration } from '../models';
-import { decryptAsymmetric } from '../utils/crypto';
-import { decryptSecrets } from '../helpers/secret';
-import { PRIVATE_KEY } from '../config';
+import { Integration, Bot, BotKey } from '../models';
+import { EventService } from '../services';
+import { eventPushSecrets } from '../events';
 
 interface Key {
 	encryptedKey: string;
@@ -24,104 +22,58 @@ interface PushSecret {
 	type: 'shared' | 'personal';
 }
 
-/**
- * Return list of all available integrations on Infisical
- * @param req
- * @param res
- * @returns
- */
-export const getIntegrations = async (req: Request, res: Response) => {
-	let integrations;
-	try {
-		integrations = JSON.parse(
-			readFileSync('./src/json/integrations.json').toString()
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get integrations'
-		});
-	}
-
-	return res.status(200).send({
-		integrations
-	});
-};
-
-/**
- * Sync secrets [secrets] to integration with id [integrationId]
- * @param req
- * @param res
- * @returns
- */
-export const syncIntegration = async (req: Request, res: Response) => {
-	// TODO: unfinished - make more versatile to accomodate for other integrations
-	try {
-		const { key, secrets }: { key: Key; secrets: PushSecret[] } = req.body;
-		const symmetricKey = decryptAsymmetric({
-			ciphertext: key.encryptedKey,
-			nonce: key.nonce,
-			publicKey: req.user.publicKey,
-			privateKey: PRIVATE_KEY
-		});
-
-		// decrypt secrets with symmetric key
-		const content = decryptSecrets({
-			secrets,
-			key: symmetricKey,
-			format: 'object'
-		});
-
-		// TODO: make integration work for other integrations as well
-		const res = await axios.patch(
-			`https://api.heroku.com/apps/${req.integration.app}/config-vars`,
-			content,
-			{
-				headers: {
-					Accept: 'application/vnd.heroku+json; version=3',
-					Authorization: 'Bearer ' + req.accessToken
-				}
-			}
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to sync secrets with integration'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully synced secrets with integration'
-	});
-};
-
 /**
  * Change environment or name of integration with id [integrationId]
  * @param req
  * @param res
  * @returns
  */
-export const modifyIntegration = async (req: Request, res: Response) => {
+export const updateIntegration = async (req: Request, res: Response) => {
 	let integration;
+	
+	// TODO: add integration-specific validation to ensure that each
+	// integration has the correct fields populated in [Integration]
+	
 	try {
-		const { update } = req.body;
-
+		const { 
+			app, 
+			environment, 
+			isActive, 
+			target, // vercel-specific integration param
+			context, // netlify-specific integration param
+			siteId // netlify-specific integration param
+		} = req.body;
+		
 		integration = await Integration.findOneAndUpdate(
 			{
 				_id: req.integration._id
 			},
-			update,
+			{
+				environment,
+				isActive,
+				app,
+				target,
+				context,
+				siteId
+			},
 			{
 				new: true
 			}
 		);
+		
+		if (integration) {
+			// trigger event - push secrets
+			EventService.handleEvent({
+				event: eventPushSecrets({
+					workspaceId: integration.workspace.toString()
+				})
+			});
+		}
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
-			message: 'Failed to modify integration'
+			message: 'Failed to update integration'
 		});
 	}
 
@@ -131,7 +83,8 @@ export const modifyIntegration = async (req: Request, res: Response) => {
 };
 
 /**
- * Delete integration with id [integrationId]
+ * Delete integration with id [integrationId] and deactivate bot if there are
+ * no integrations left
  * @param req
  * @param res
  * @returns
@@ -144,6 +97,29 @@ export const deleteIntegration = async (req: Request, res: Response) => {
 		deletedIntegration = await Integration.findOneAndDelete({
 			_id: integrationId
 		});
+		
+		if (!deletedIntegration) throw new Error('Failed to find integration');
+		
+		const integrations = await Integration.find({
+			workspace: deletedIntegration.workspace
+		});
+			
+		if (integrations.length === 0) {
+			// case: no integrations left, deactivate bot
+			const bot = await Bot.findOneAndUpdate({
+				workspace: deletedIntegration.workspace
+			}, {
+				isActive: false
+			}, {
+				new: true
+			});
+			
+			if (bot) {
+				await BotKey.deleteOne({
+					bot: bot._id
+				});
+			}
+		}
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);

backend/src/controllers/keyController.ts

@@ -2,7 +2,6 @@ import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import { Key } from '../models';
 import { findMembership } from '../helpers/membership';
-import { PUBLIC_KEY } from '../config';
 import { GRANTED } from '../variables';
 
 /**
@@ -17,16 +16,6 @@ export const uploadKey = async (req: Request, res: Response) => {
 		const { workspaceId } = req.params;
 		const { key } = req.body;
 
-		// validate membership of sender
-		const senderMembership = await findMembership({
-			user: req.user._id,
-			workspace: workspaceId
-		});
-
-		if (!senderMembership) {
-			throw new Error('Failed sender membership validation for workspace');
-		}
-
 		// validate membership of receiver
 		const receiverMembership = await findMembership({
 			user: key.userId,
@@ -94,16 +83,4 @@ export const getLatestKey = async (req: Request, res: Response) => {
 	}
 
 	return res.status(200).send(resObj);
-};
-
-/**
- * Return public key of Infisical
- * @param req
- * @param res
- * @returns
- */
-export const getPublicKeyInfisical = async (req: Request, res: Response) => {
-	return res.status(200).send({
-		publicKey: PUBLIC_KEY
-	});
-};
+};

backend/src/controllers/membershipOrgController.ts

@@ -217,7 +217,7 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 	try {
 		const { email, code } = req.body;
 
-		user = await User.findOne({ email });
+		user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
 			return res.status(403).send({
@@ -257,7 +257,7 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		return res.status(400).send({
-			error: 'Failed email magic link confirmation'
+			error: 'Failed email magic link verification for organization invitation'
 		});
 	}
 

backend/src/controllers/passwordController.ts

@@ -1,11 +1,121 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, BackupPrivateKey } from '../models';
+import { User, Token, BackupPrivateKey } from '../models';
+import { checkEmailVerification } from '../helpers/signup';
+import { createToken } from '../helpers/auth';
+import { sendMail } from '../helpers/nodemailer';
+import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../config';
 
 const clientPublicKeys: any = {};
 
+/**
+ * Password reset step 1: Send email verification link to email [email] 
+ * for account recovery.
+ * @param req
+ * @param res
+ * @returns
+ */
+export const emailPasswordReset = async (req: Request, res: Response) => {
+	let email: string;
+	try {
+		email = req.body.email;
+
+		const user = await User.findOne({ email }).select('+publicKey');
+		if (!user || !user?.publicKey) {
+			// case: user has already completed account
+
+			return res.status(403).send({
+				error: 'Failed to send email verification for password reset'
+			});
+		}
+		
+		const token = crypto.randomBytes(16).toString('hex');
+
+		await Token.findOneAndUpdate(
+			{ email },
+			{
+				email,
+				token,
+				createdAt: new Date()
+			},
+			{ upsert: true, new: true }
+		);
+		
+		await sendMail({
+			template: 'passwordReset.handlebars',
+			subjectLine: 'Infisical password reset',
+			recipients: [email],
+			substitutions: {
+				email,
+				token,
+				callback_url: SITE_URL + '/password-reset'
+			}
+		});
+		
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to send email for account recovery'
+		});	
+	}
+	
+	return res.status(200).send({
+		message: `Sent an email for account recovery to ${email}`
+	});
+}
+
+/**
+ * Password reset step 2: Verify email verification link sent to email [email]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const emailPasswordResetVerify = async (req: Request, res: Response) => {
+	let user, token;
+	try {
+		const { email, code } = req.body;
+		
+		user = await User.findOne({ email }).select('+publicKey');
+		if (!user || !user?.publicKey) {
+			// case: user doesn't exist with email [email] or 
+			// hasn't even completed their account
+			return res.status(403).send({
+				error: 'Failed email verification for password reset'
+			});
+		}
+
+		await checkEmailVerification({
+			email,
+			code
+		});
+		
+		// generate temporary password-reset token
+		token = createToken({
+			payload: {
+				userId: user._id.toString()
+			},
+			expiresIn: JWT_SIGNUP_LIFETIME,
+			secret: JWT_SIGNUP_SECRET
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed email verification for password reset'
+		});	
+	}
+
+	return res.status(200).send({
+		message: 'Successfully verified email',
+		user,
+		token
+	});
+}
+
 /**
  * Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
  * @param req
@@ -43,7 +153,7 @@ export const srp1 = async (req: Request, res: Response) => {
 			}
 		);
 	} catch (err) {
-		Sentry.setUser(null);
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			error: 'Failed to start change password process'
@@ -110,7 +220,7 @@ export const changePassword = async (req: Request, res: Response) => {
 			}
 		);
 	} catch (err) {
-		Sentry.setUser(null);
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			error: 'Failed to change password. Try again?'
@@ -180,10 +290,73 @@ export const createBackupPrivateKey = async (req: Request, res: Response) => {
 			}
 		);
 	} catch (err) {
-		Sentry.setUser(null);
+		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
 			message: 'Failed to update backup private key'
 		});
 	}
 };
+
+/**
+ * Return backup private key for user
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getBackupPrivateKey = async (req: Request, res: Response) => {
+	let backupPrivateKey;
+	try {
+		backupPrivateKey = await BackupPrivateKey.findOne({
+			user: req.user._id
+		}).select('+encryptedPrivateKey +iv +tag');
+		
+		if (!backupPrivateKey) throw new Error('Failed to find backup private key');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email});
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get backup private key'
+		});
+	}
+	
+	return res.status(200).send({
+		backupPrivateKey
+	});
+}
+
+export const resetPassword = async (req: Request, res: Response) => {
+	try {
+		const {
+			encryptedPrivateKey,
+			iv,
+			tag,
+			salt,
+			verifier,
+		} = req.body;
+
+		await User.findByIdAndUpdate(
+			req.user._id.toString(),
+			{
+				encryptedPrivateKey,
+				iv,
+				tag,
+				salt,
+				verifier
+			},
+			{
+				new: true
+			}
+		);	
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email});
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get backup private key'
+		});	
+	}
+	
+	return res.status(200).send({
+		message: 'Successfully reset password'
+	});
+}

backend/src/controllers/secretController.ts

@@ -1,14 +1,15 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Key } from '../models';
+import { Key, Secret } from '../models';
 import {
 	pushSecrets as push,
 	pullSecrets as pull,
 	reformatPullSecrets
 } from '../helpers/secret';
 import { pushKeys } from '../helpers/key';
+import { eventPushSecrets } from '../events';
+import { EventService } from '../services';
 import { ENV_SET } from '../variables';
-
 import { postHogClient } from '../services';
 
 interface PushSecret {
@@ -60,7 +61,8 @@ export const pushSecrets = async (req: Request, res: Response) => {
 			workspaceId,
 			keys
 		});
-
+		
+		
 		if (postHogClient) {
 			postHogClient.capture({
 				event: 'secrets pushed',
@@ -74,6 +76,13 @@ export const pushSecrets = async (req: Request, res: Response) => {
 			});
 		}
 
+		// trigger event - push secrets
+		EventService.handleEvent({
+			event: eventPushSecrets({
+				workspaceId
+			})
+		});
+
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@@ -160,9 +169,6 @@ export const pullSecrets = async (req: Request, res: Response) => {
  * @returns
  */
 export const pullSecretsServiceToken = async (req: Request, res: Response) => {
-	// get (encrypted) secrets from workspace with id [workspaceId]
-	// service token route
-
 	let secrets;
 	let key;
 	try {
@@ -192,7 +198,7 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		};
 
 		if (postHogClient) {
-			// capture secrets pushed event in production
+			// capture secrets pulled event in production
 			postHogClient.capture({
 				distinctId: req.serviceToken.user.email,
 				event: 'secrets pulled',
@@ -216,4 +222,4 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		secrets: reformatPullSecrets({ secrets }),
 		key
 	});
-};
+};

backend/src/controllers/serviceTokenController.ts

@@ -58,7 +58,8 @@ export const createServiceToken = async (req: Request, res: Response) => {
 
 		token = createToken({
 			payload: {
-				serviceTokenId: serviceToken._id.toString()
+				serviceTokenId: serviceToken._id.toString(),
+				workspaceId
 			},
 			expiresIn: expiresIn,
 			secret: JWT_SERVICE_SECRET

backend/src/controllers/signupController.ts

@@ -10,6 +10,7 @@ import {
 } from '../helpers/signup';
 import { issueTokens, createToken } from '../helpers/auth';
 import { INVITED, ACCEPTED } from '../variables';
+import axios from 'axios';
 
 /**
  * Signup step 1: Initialize account for user under email [email] and send a verification code
@@ -179,6 +180,21 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 
 		token = tokens.token;
 		refreshToken = tokens.refreshToken;
+
+		// sending a welcome email to new users
+		if (process.env.LOOPS_API_KEY) {
+			await axios.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
+				},
+			});
+		}
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);

backend/src/controllers/workspaceController.ts

@@ -7,7 +7,7 @@ import {
 	Integration,
 	IntegrationAuth,
 	IUser,
-	ServiceToken
+	ServiceToken,
 } from '../models';
 import {
 	createWorkspace as create,

backend/src/ee/controllers/index.ts

@@ -1,5 +1,9 @@
 import * as stripeController from './stripeController';
+import * as secretController from './secretController';
+import * as workspaceController from './workspaceController';
 
 export {
-    stripeController
+    stripeController,
+    secretController,
+    workspaceController
 }

backend/src/ee/controllers/secretController.ts

@@ -0,0 +1,35 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { SecretVersion } from '../models';
+
+/**
+ * Return secret versions for secret with id [secretId]
+ * @param req 
+ * @param res 
+ */
+ export const getSecretVersions = async (req: Request, res: Response) => {
+	let secretVersions;
+	try {
+		const { secretId } = req.params;
+
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		
+		secretVersions = await SecretVersion.find({
+			secret: secretId
+		})
+		.skip(offset)
+		.limit(limit);
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret versions'
+		});
+	}
+	
+	return res.status(200).send({
+		secretVersions
+	});
+}

backend/src/ee/controllers/workspaceController.ts

@@ -0,0 +1,35 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { SecretSnapshot } from '../models';
+
+/**
+ * Return secret snapshots for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
+	let secretSnapshots;
+	try {
+		const { workspaceId } = req.params;
+
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		
+		secretSnapshots = await SecretSnapshot.find({
+			workspace: workspaceId
+		})
+		.skip(offset)
+		.limit(limit);
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret snapshots'
+		});
+	}
+	
+	return res.status(200).send({
+		secretSnapshots
+	});
+}

backend/src/ee/helpers/license.ts

@@ -1,21 +0,0 @@
-
-/**
- * @param {Object} obj
- * @param {Object} obj.licenseKey - Infisical license key
- */
-const checkLicenseKey = ({
-    licenseKey
-}: {
-    licenseKey: string
-}) => {
-    try {
-        // TODO
-
-    } catch (err) {
-
-    }
-}
-
-export {
-    checkLicenseKey
-}

backend/src/ee/helpers/secret.ts

@@ -0,0 +1,74 @@
+import * as Sentry from '@sentry/node';
+import {
+    Secret
+} from '../../models';
+import {
+    SecretSnapshot,
+	SecretVersion,
+	ISecretVersion
+} from '../models';
+
+/**
+ * Save a copy of the current state of secrets in workspace with id
+ * [workspaceId] under a new snapshot with incremented version under the
+ * secretsnapshots collection.
+ * @param {Object} obj
+ * @param {String} obj.workspaceId
+ */
+ const takeSecretSnapshotHelper = async ({
+	workspaceId
+}: {
+	workspaceId: string;
+}) => {
+	try {
+		const secrets = await Secret.find({
+			workspace: workspaceId
+		});
+		
+		const latestSecretSnapshot = await SecretSnapshot.findOne({
+			workspace: workspaceId
+		}).sort({ version: -1 });
+		
+		if (!latestSecretSnapshot) {
+			// case: no snapshots exist for workspace -> create first snapshot
+			await new SecretSnapshot({
+				workspace: workspaceId,
+				version: 1,
+				secrets 
+			}).save();	
+
+			return;
+		}
+		
+		// case: snapshots exist for workspace
+		await new SecretSnapshot({
+			workspace: workspaceId,
+			version: latestSecretSnapshot.version + 1,
+			secrets 
+		}).save();
+		
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to take a secret snapshot');
+	}
+}
+
+const addSecretVersionsHelper = async ({
+	secretVersions
+}: {
+	secretVersions: ISecretVersion[]
+}) => {
+	try {
+		await SecretVersion.insertMany(secretVersions);
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to add secret versions');
+	}
+}
+
+export {
+    takeSecretSnapshotHelper,
+	addSecretVersionsHelper
+}

backend/src/ee/models/index.ts

@@ -0,0 +1,9 @@
+import SecretSnapshot, { ISecretSnapshot } from "./secretSnapshot";
+import SecretVersion, { ISecretVersion } from "./secretVersion";
+
+export {
+    SecretSnapshot,
+    ISecretSnapshot,
+    SecretVersion,
+    ISecretVersion
+}

backend/src/ee/models/secretSnapshot.ts

@@ -0,0 +1,109 @@
+import { Schema, model, Types } from 'mongoose';
+import {
+	SECRET_SHARED,
+	SECRET_PERSONAL,
+	ENV_DEV,
+	ENV_TESTING,
+	ENV_STAGING,
+	ENV_PROD
+} from '../../variables';
+
+export interface ISecretSnapshot {
+    workspace: Types.ObjectId;
+    version: number;
+    secrets: {
+        version: number;
+        workspace: Types.ObjectId;
+        type: string;
+        user: Types.ObjectId;
+        environment: string;
+        secretKeyCiphertext: string;
+        secretKeyIV: string;
+        secretKeyTag: string;
+        secretKeyHash: string;
+        secretValueCiphertext: string;
+        secretValueIV: string;
+        secretValueTag: string;
+        secretValueHash: string;
+    }[]
+}
+
+const secretSnapshotSchema = new Schema<ISecretSnapshot>(
+    {
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace',
+            required: true
+        },
+        version: {
+            type: Number,
+            required: true
+        },
+        secrets: [{
+            version: {
+                type: Number,
+                default: 1,
+                required: true
+            },
+            workspace: {
+                type: Schema.Types.ObjectId,
+                ref: 'Workspace',
+                required: true
+            },
+            type: {
+                type: String,
+                enum: [SECRET_SHARED, SECRET_PERSONAL],
+                required: true
+            },
+            user: {
+                // user associated with the personal secret
+                type: Schema.Types.ObjectId,
+                ref: 'User'
+            },
+            environment: {
+                type: String,
+                enum: [ENV_DEV, ENV_TESTING, ENV_STAGING, ENV_PROD],
+                required: true
+            },
+            secretKeyCiphertext: {
+                type: String,
+                required: true
+            },
+            secretKeyIV: {
+                type: String, // symmetric
+                required: true
+            },
+            secretKeyTag: {
+                type: String, // symmetric
+                required: true
+            },
+            secretKeyHash: {
+                type: String,
+                required: true
+            },
+            secretValueCiphertext: {
+                type: String,
+                required: true
+            },
+            secretValueIV: {
+                type: String, // symmetric
+                required: true
+            },
+            secretValueTag: {
+                type: String, // symmetric
+                required: true
+            },
+            secretValueHash: {
+                type: String,
+                required: true
+            }
+        }]
+    },
+    {
+        timestamps: true
+    }
+);
+
+const SecretSnapshot = model<ISecretSnapshot>('SecretSnapshot', secretSnapshotSchema);
+
+export default SecretSnapshot;

backend/src/ee/models/secretVersion.ts

@@ -0,0 +1,75 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface ISecretVersion {
+    _id?: Types.ObjectId;
+    secret: Types.ObjectId;
+    version: number;
+    isDeleted: boolean;
+    secretKeyCiphertext: string;
+	secretKeyIV: string;
+	secretKeyTag: string;
+	secretKeyHash: string;
+	secretValueCiphertext: string;
+	secretValueIV: string;
+	secretValueTag: string;
+	secretValueHash: string;
+}
+
+const secretVersionSchema = new Schema<ISecretVersion>(
+    {
+        secret: { // could be deleted
+            type: Schema.Types.ObjectId,
+            ref: 'Secret',
+            required: true
+        },
+        version: {
+            type: Number,
+            default: 1,
+            required: true
+        },
+        isDeleted: {
+            type: Boolean,
+            default: false,
+            required: true
+        },
+        secretKeyCiphertext: {
+			type: String,
+			required: true
+		},
+		secretKeyIV: {
+			type: String, // symmetric
+			required: true
+		},
+		secretKeyTag: {
+			type: String, // symmetric
+			required: true
+		},
+		secretKeyHash: {
+			type: String,
+			required: true
+		},
+		secretValueCiphertext: {
+			type: String,
+			required: true
+		},
+		secretValueIV: {
+			type: String, // symmetric
+			required: true
+		},
+		secretValueTag: {
+			type: String, // symmetric
+			required: true
+		},
+		secretValueHash: {
+			type: String,
+			required: true
+		}
+    },
+    {
+        timestamps: true
+    }
+);
+
+const SecretVersion = model<ISecretVersion>('SecretVersion', secretVersionSchema);
+
+export default SecretVersion;

backend/src/ee/routes/index.ts

@@ -0,0 +1,7 @@
+import secret from './secret';
+import workspace from './workspace';
+
+export {
+    secret,
+    workspace
+}

backend/src/ee/routes/secret.ts

@@ -0,0 +1,26 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    requireWorkspaceAuth,
+    validateRequest
+} from '../../middleware';
+import { body, query, param } from 'express-validator';
+import { secretController } from '../controllers';
+import { ADMIN, MEMBER, COMPLETED, GRANTED } from '../../variables';
+
+router.get(
+	'/:secretId/secret-versions',
+	requireAuth,
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		acceptedStatuses: [COMPLETED, GRANTED]
+	}),
+	param('secretId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
+	validateRequest,
+	secretController.getSecretVersions
+);
+
+export default router;

backend/src/ee/routes/workspace.ts

@@ -0,0 +1,27 @@
+import express from 'express';
+const router = express.Router();
+import {
+	requireAuth,
+	requireWorkspaceAuth,
+	validateRequest
+} from '../../middleware';
+import { param, query } from 'express-validator';
+import { ADMIN, MEMBER, GRANTED } from '../../variables';
+import { workspaceController } from '../controllers';
+
+router.get(
+	'/:workspaceId/secret-snapshots',
+	requireAuth,
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		acceptedStatuses: [GRANTED]
+	}),
+	param('workspaceId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
+	validateRequest,
+	workspaceController.getWorkspaceSecretSnapshots
+);
+
+
+export default router;

backend/src/ee/services/EELicenseService.ts

@@ -0,0 +1,19 @@
+import { LICENSE_KEY } from '../../config';
+
+/**
+ * Class to handle Enterprise Edition license actions
+ */
+class EELicenseService {
+    
+    private readonly _isLicenseValid: boolean;
+    
+    constructor(licenseKey: string) {
+        this._isLicenseValid = true;
+    }
+
+    public get isLicenseValid(): boolean {
+        return this._isLicenseValid;
+    }
+}
+
+export default new EELicenseService(LICENSE_KEY);

backend/src/ee/services/EESecretService.ts

@@ -0,0 +1,47 @@
+import { ISecretVersion } from '../models';
+import { 
+    takeSecretSnapshotHelper,
+    addSecretVersionsHelper
+} from '../helpers/secret';
+import EELicenseService from './EELicenseService';
+
+/**
+ * Class to handle Enterprise Edition secret actions
+ */
+class EESecretService {
+    
+    /**
+     * Save a copy of the current state of secrets in workspace with id
+     * [workspaceId] under a new snapshot with incremented version under the
+     * SecretSnapshot collection.
+     * Requires a valid license key [licenseKey]
+     * @param {Object} obj
+     * @param {String} obj.workspaceId
+     */
+    static async takeSecretSnapshot({
+        workspaceId
+    }: {
+        workspaceId: string;
+    }) {
+        if (!EELicenseService.isLicenseValid) return;
+        await takeSecretSnapshotHelper({ workspaceId });
+    }
+    
+    /**
+     * Adds secret versions [secretVersions] to the SecretVersion collection.
+     * @param {Object} obj
+     * @param {SecretVersion} obj.secretVersions
+     */
+    static async addSecretVersions({
+        secretVersions
+    }: {
+        secretVersions: ISecretVersion[];
+    }) {
+        if (!EELicenseService.isLicenseValid) return;
+        await addSecretVersionsHelper({
+            secretVersions
+        });
+    }
+}
+
+export default EESecretService;

backend/src/ee/services/index.ts

@@ -0,0 +1,7 @@
+import EELicenseService from "./EELicenseService";
+import EESecretService from "./EESecretService";
+
+export {
+    EELicenseService,
+    EESecretService
+}

backend/src/events/index.ts

@@ -0,0 +1,5 @@
+import { eventPushSecrets } from "./secret"
+
+export {
+    eventPushSecrets
+}

backend/src/events/secret.ts

@@ -0,0 +1,37 @@
+import { EVENT_PUSH_SECRETS } from '../variables';
+
+interface PushSecret {
+	ciphertextKey: string;
+	ivKey: string;
+	tagKey: string;
+	hashKey: string;
+	ciphertextValue: string;
+	ivValue: string;
+	tagValue: string;
+	hashValue: string;
+	type: 'shared' | 'personal';
+}
+
+/**
+ * Return event for pushing secrets
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace to push secrets to
+ * @returns 
+ */
+const eventPushSecrets = ({
+    workspaceId,
+}: {
+    workspaceId: string;
+}) => {
+    return ({
+        name: EVENT_PUSH_SECRETS,
+        workspaceId,
+        payload: {
+
+        }
+    });
+}
+
+export {
+    eventPushSecrets
+}

backend/src/helpers/bot.ts

@@ -0,0 +1,230 @@
+import * as Sentry from '@sentry/node';
+import {
+    Bot,
+    BotKey,
+    Secret,
+    ISecret,
+    IUser
+} from '../models';
+import { 
+    generateKeyPair, 
+    encryptSymmetric,
+    decryptSymmetric,
+    decryptAsymmetric
+} from '../utils/crypto';
+import { decryptSecrets } from '../helpers/secret';
+import { ENCRYPTION_KEY } from '../config';
+import { SECRET_SHARED } from '../variables';
+
+/**
+ * Create an inactive bot with name [name] for workspace with id [workspaceId]
+ * @param {Object} obj 
+ * @param {String} obj.name - name of bot
+ * @param {String} obj.workspaceId - id of workspace that bot belongs to
+ */
+const createBot = async ({
+    name,
+    workspaceId,
+}: {
+    name: string;
+    workspaceId: string;
+}) => {
+    let bot;
+    try {
+        const { publicKey, privateKey } = generateKeyPair();
+        const { ciphertext, iv, tag } = encryptSymmetric({
+            plaintext: privateKey,
+            key: ENCRYPTION_KEY
+        });
+
+        bot = await new Bot({
+            name,
+            workspace: workspaceId,
+            isActive: false,
+            publicKey,
+            encryptedPrivateKey: ciphertext,
+            iv,
+            tag
+        }).save();
+    } catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to create bot');
+    }
+    
+    return bot;
+}
+
+/**
+ * Return decrypted secrets for workspace with id [workspaceId]
+ * and [environment] using bot
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace
+ * @param {String} obj.environment - environment
+ */
+const getSecretsHelper = async ({
+    workspaceId,
+    environment
+}: {
+    workspaceId: string;
+    environment: string;
+}) => {
+    const content = {} as any;
+    try {
+        const key = await getKey({ workspaceId });
+        const secrets = await Secret.find({
+            workspaceId,
+            environment,
+            type: SECRET_SHARED
+        });
+        
+        secrets.forEach((secret: ISecret) => {
+            const secretKey = decryptSymmetric({
+                ciphertext: secret.secretKeyCiphertext,
+                iv: secret.secretKeyIV,
+                tag: secret.secretKeyTag,
+                key
+            });
+            
+            const secretValue = decryptSymmetric({
+                ciphertext: secret.secretValueCiphertext,
+                iv: secret.secretValueIV,
+                tag: secret.secretValueTag,
+                key
+            });
+
+            content[secretKey] = secretValue;
+        });
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to get secrets');
+    }
+
+    return content;
+}
+
+/**
+ * Return bot's copy of the workspace key for workspace 
+ * with id [workspaceId]
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace
+ * @returns {String} key - decrypted workspace key
+ */
+const getKey = async ({ workspaceId }: { workspaceId: string }) => {
+    let key;
+    try {
+        const botKey = await BotKey.findOne({
+            workspace: workspaceId
+        }).populate<{ sender: IUser }>('sender', 'publicKey');
+        
+        if (!botKey) throw new Error('Failed to find bot key');
+        
+        const bot = await Bot.findOne({
+            workspace: workspaceId
+        }).select('+encryptedPrivateKey +iv +tag');
+        
+        if (!bot) throw new Error('Failed to find bot');
+        if (!bot.isActive) throw new Error('Bot is not active');
+        
+        const privateKeyBot = decryptSymmetric({
+            ciphertext: bot.encryptedPrivateKey,
+            iv: bot.iv,
+            tag: bot.tag,
+            key: ENCRYPTION_KEY
+        });
+        
+        key = decryptAsymmetric({
+            ciphertext: botKey.encryptedKey,
+            nonce: botKey.nonce,
+            publicKey: botKey.sender.publicKey as string,
+            privateKey: privateKeyBot
+        });
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to get workspace key');
+    }
+    
+    return key;
+}
+
+/**
+ * Return symmetrically encrypted [plaintext] using the
+ * key for workspace with id [workspaceId] 
+ * @param {Object} obj1
+ * @param {String} obj1.workspaceId - id of workspace
+ * @param {String} obj1.plaintext - plaintext to encrypt
+ */
+const encryptSymmetricHelper = async ({
+    workspaceId,
+    plaintext
+}: {
+    workspaceId: string;
+    plaintext: string;
+}) => {
+    
+    try {
+        const key = await getKey({ workspaceId });
+        const { ciphertext, iv, tag } = encryptSymmetric({
+            plaintext,
+            key
+        });
+        
+        return ({
+            ciphertext,
+            iv,
+            tag
+        });
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to perform symmetric encryption with bot');
+    }
+}
+/**
+ * Return symmetrically decrypted [ciphertext] using the
+ * key for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace
+ * @param {String} obj.ciphertext - ciphertext to decrypt
+ * @param {String} obj.iv - iv
+ * @param {String} obj.tag - tag
+ */
+const decryptSymmetricHelper = async ({
+    workspaceId,
+    ciphertext,
+    iv,
+    tag
+}: {
+    workspaceId: string;
+    ciphertext: string;
+    iv: string;
+    tag: string;
+}) => {
+    let plaintext;
+    try {
+        const key = await getKey({ workspaceId });
+        const plaintext = decryptSymmetric({
+            ciphertext,
+            iv,
+            tag,
+            key
+        });
+        
+        return plaintext;
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to perform symmetric decryption with bot');
+    }
+    
+    return plaintext;
+}
+
+export {
+    createBot,
+    getSecretsHelper,
+    encryptSymmetricHelper,
+    decryptSymmetricHelper
+}

backend/src/helpers/event.ts

@@ -0,0 +1,51 @@
+import { Bot, IBot } from '../models';
+import * as Sentry from '@sentry/node';
+import { EVENT_PUSH_SECRETS } from '../variables';
+import { IntegrationService } from '../services';
+
+interface Event {
+    name: string;
+    workspaceId: string;
+    payload: any;
+}
+
+/**
+ * Handle event [event]
+ * @param {Object} obj
+ * @param {Event} obj.event - an event
+ * @param {String} obj.event.name - name of event
+ * @param {String} obj.event.workspaceId - id of workspace that event is part of
+ * @param {Object} obj.event.payload - payload of event (depends on event)
+ */
+const handleEventHelper = async ({
+    event
+}: {
+    event: Event;
+}) => {
+    const { workspaceId } = event;
+    
+    // TODO: moduralize bot check into separate function
+    const bot = await Bot.findOne({
+        workspace: workspaceId,
+        isActive: true
+    });
+    
+    if (!bot) return;
+    
+    try {
+        switch (event.name) {
+            case EVENT_PUSH_SECRETS:
+                IntegrationService.syncIntegrations({
+                    workspaceId
+                });
+                break;
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+    }
+}
+
+export {
+    handleEventHelper
+}

backend/src/helpers/integration.ts

@@ -0,0 +1,358 @@
+import * as Sentry from '@sentry/node';
+import {
+    Bot,
+    Integration,
+    IntegrationAuth,
+} from '../models';
+import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
+import { BotService } from '../services';
+import {
+    ENV_DEV,
+    EVENT_PUSH_SECRETS,
+    INTEGRATION_VERCEL,
+    INTEGRATION_NETLIFY
+} from '../variables';
+import { UnauthorizedRequestError } from '../utils/errors';
+import RequestError from '../utils/requestError';
+
+interface Update {
+    workspace: string;
+    integration: string;
+    teamId?: string;
+    accountId?: string;
+}
+
+/**
+ * Perform OAuth2 code-token exchange for workspace with id [workspaceId] and integration
+ * named [integration]
+ * - Store integration access and refresh tokens returned from the OAuth2 code-token exchange
+ * - Add placeholder inactive integration
+ * - Create bot sequence for integration
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace
+ * @param {String} obj.integration - name of integration 
+ * @param {String} obj.code - code
+*/
+const handleOAuthExchangeHelper = async ({
+    workspaceId,
+    integration,
+    code
+}: {
+    workspaceId: string;
+    integration: string;
+    code: string;
+}) => {
+    let action;
+    let integrationAuth;
+    try {
+        const bot = await Bot.findOne({
+            workspace: workspaceId,
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled for OAuth2 code-token exchange');
+        
+        // exchange code for access and refresh tokens
+        const res = await exchangeCode({
+            integration,
+            code
+        });
+        
+        const update: Update = {
+            workspace: workspaceId,
+            integration
+        }
+        
+        switch (integration) {
+            case INTEGRATION_VERCEL:
+                update.teamId = res.teamId;
+                break;
+            case INTEGRATION_NETLIFY:
+                update.accountId = res.accountId;
+                break;
+        }
+        
+        integrationAuth = await IntegrationAuth.findOneAndUpdate({
+            workspace: workspaceId,
+            integration
+        }, update, {
+            new: true,
+            upsert: true
+        });
+        
+        if (res.refreshToken) {
+            // case: refresh token returned from exchange
+            // set integration auth refresh token
+            await setIntegrationAuthRefreshHelper({
+                integrationAuthId: integrationAuth._id.toString(),
+                refreshToken: res.refreshToken
+            });
+        }
+        
+        if (res.accessToken) {
+            // case: access token returned from exchange
+            // set integration auth access token
+            await setIntegrationAuthAccessHelper({
+                integrationAuthId: integrationAuth._id.toString(),
+                accessToken: res.accessToken,
+                accessExpiresAt: res.accessExpiresAt
+            });
+        }
+
+        // initialize new integration after exchange
+        await new Integration({
+            workspace: workspaceId,
+            environment: ENV_DEV,
+            isActive: false,
+            app: null,
+            integration,
+            integrationAuth: integrationAuth._id
+        }).save();
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to handle OAuth2 code-token exchange')
+    }
+}
+/**
+ * Sync/push environment variables in workspace with id [workspaceId] to
+ * all active integrations for that workspace
+ * @param {Object} obj
+ * @param {Object} obj.workspaceId - id of workspace
+ */
+const syncIntegrationsHelper = async ({
+    workspaceId
+}: {
+    workspaceId: string;
+}) => {
+    let integrations;
+    try {
+
+        integrations = await Integration.find({
+            workspace: workspaceId,
+            isActive: true,
+            app: { $ne: null }
+        });
+
+        // for each workspace integration, sync/push secrets
+        // to that integration
+        for await (const integration of integrations) {
+            // get workspace, environment (shared) secrets
+            const secrets = await BotService.getSecrets({ // issue here?
+                workspaceId: integration.workspace.toString(),
+                environment: integration.environment
+            });
+            
+            const integrationAuth = await IntegrationAuth.findById(integration.integrationAuth);
+            if (!integrationAuth) throw new Error('Failed to find integration auth');
+            
+            // get integration auth access token
+            const accessToken = await getIntegrationAuthAccessHelper({
+                integrationAuthId: integration.integrationAuth.toString()
+            });
+
+            // sync secrets to integration
+            await syncSecrets({
+                integration,
+                integrationAuth,
+                secrets,
+                accessToken
+            });
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to sync secrets to integrations');
+    }
+}
+
+/**
+ * Return decrypted refresh token using the bot's copy
+ * of the workspace key for workspace belonging to integration auth
+ * with id [integrationAuthId]
+ * @param {Object} obj
+ * @param {String} obj.integrationAuthId - id of integration auth
+ * @param {String} refreshToken - decrypted refresh token
+ */
+ const getIntegrationAuthRefreshHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+    let refreshToken;
+	
+    try {
+        const integrationAuth = await IntegrationAuth
+            .findById(integrationAuthId)
+            .select('+refreshCiphertext +refreshIV +refreshTag');
+
+        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
+
+        refreshToken = await BotService.decryptSymmetric({
+            workspaceId: integrationAuth.workspace.toString(),
+            ciphertext: integrationAuth.refreshCiphertext as string,
+            iv: integrationAuth.refreshIV as string,
+            tag: integrationAuth.refreshTag as string
+        });
+
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+        if(err instanceof RequestError)
+            throw err
+        else
+            throw new Error('Failed to get integration refresh token');
+    }
+    
+    return refreshToken;
+}
+
+/**
+ * Return decrypted access token using the bot's copy
+ * of the workspace key for workspace belonging to integration auth
+ * with id [integrationAuthId]
+ * @param {Object} obj
+ * @param {String} obj.integrationAuthId - id of integration auth
+ * @returns {String} accessToken - decrypted access token
+ */
+const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+    let accessToken;
+	
+    try {
+        const integrationAuth = await IntegrationAuth
+            .findById(integrationAuthId)
+            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext');
+
+        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});
+
+        accessToken = await BotService.decryptSymmetric({
+            workspaceId: integrationAuth.workspace.toString(),
+            ciphertext: integrationAuth.accessCiphertext as string,
+            iv: integrationAuth.accessIV as string,
+            tag: integrationAuth.accessTag as string
+        });
+
+        if (integrationAuth?.accessExpiresAt && integrationAuth?.refreshCiphertext) {
+            // there is a access token expiration date
+            // and refresh token to exchange with the OAuth2 server
+            
+            if (integrationAuth.accessExpiresAt < new Date()) {
+                // access token is expired
+                const refreshToken = await getIntegrationAuthRefreshHelper({ integrationAuthId });
+                accessToken = await exchangeRefresh({
+                    integration: integrationAuth.integration,
+                    refreshToken
+                });
+            }
+        }
+
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+        if(err instanceof RequestError)
+            throw err
+        else
+            throw new Error('Failed to get integration access token');
+    }
+    
+    return accessToken;
+}
+
+/**
+ * Encrypt refresh token [refreshToken] using the bot's copy
+ * of the workspace key for workspace belonging to integration auth
+ * with id [integrationAuthId] and store it
+ * @param {Object} obj
+ * @param {String} obj.integrationAuthId - id of integration auth
+ * @param {String} obj.refreshToken - refresh token
+ */
+const setIntegrationAuthRefreshHelper = async ({
+    integrationAuthId,
+    refreshToken
+}: {
+    integrationAuthId: string;
+    refreshToken: string;
+}) => {
+    
+    let integrationAuth;
+    try {
+        integrationAuth = await IntegrationAuth
+            .findById(integrationAuthId);
+        
+        if (!integrationAuth) throw new Error('Failed to find integration auth');
+        
+        const obj = await BotService.encryptSymmetric({
+            workspaceId: integrationAuth.workspace.toString(),
+            plaintext: refreshToken
+        });
+        
+        integrationAuth = await IntegrationAuth.findOneAndUpdate({
+            _id: integrationAuthId
+        }, {
+            refreshCiphertext: obj.ciphertext,
+            refreshIV: obj.iv,
+            refreshTag: obj.tag
+        }, {
+            new: true
+        });
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to set integration auth refresh token');
+    }
+    
+    return integrationAuth;
+}
+
+/**
+ * Encrypt access token [accessToken] using the bot's copy
+ * of the workspace key for workspace belonging to integration auth
+ * with id [integrationAuthId] and store it along with [accessExpiresAt]
+ * @param {Object} obj
+ * @param {String} obj.integrationAuthId - id of integration auth
+ * @param {String} obj.accessToken - access token
+ * @param {Date} obj.accessExpiresAt - expiration date of access token
+ */
+const setIntegrationAuthAccessHelper = async ({
+    integrationAuthId,
+    accessToken,
+    accessExpiresAt
+}: {
+    integrationAuthId: string;
+    accessToken: string;
+    accessExpiresAt: Date;
+}) => {
+    let integrationAuth;
+    try {
+        integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+        
+        if (!integrationAuth) throw new Error('Failed to find integration auth');
+        
+        const obj = await BotService.encryptSymmetric({
+            workspaceId: integrationAuth.workspace.toString(),
+            plaintext: accessToken
+        });
+        
+        integrationAuth = await IntegrationAuth.findOneAndUpdate({
+            _id: integrationAuthId
+        }, {
+            accessCiphertext: obj.ciphertext,
+            accessIV: obj.iv,
+            accessTag: obj.tag,
+            accessExpiresAt
+        }, {
+            new: true
+        });
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to save integration auth access token');
+    }
+    
+    return integrationAuth;
+}
+
+export {
+    handleOAuthExchangeHelper,
+    syncIntegrationsHelper,
+    getIntegrationAuthRefreshHelper,
+    getIntegrationAuthAccessHelper,
+    setIntegrationAuthRefreshHelper,
+    setIntegrationAuthAccessHelper
+}

backend/src/helpers/integrationAuth.ts

@@ -1,174 +0,0 @@
-import * as Sentry from '@sentry/node';
-import axios from 'axios';
-import { IntegrationAuth } from '../models';
-import { encryptSymmetric, decryptSymmetric } from '../utils/crypto';
-import { IIntegrationAuth } from '../models';
-import {
-	ENCRYPTION_KEY,
-	OAUTH_CLIENT_SECRET_HEROKU,
-	OAUTH_TOKEN_URL_HEROKU
-} from '../config';
-
-/**
- * Process token exchange and refresh responses from respective OAuth2 authorization servers by
- * encrypting access and refresh tokens, computing new access token expiration times [accessExpiresAt],
- * and upserting them into the DB for workspace with id [workspaceId] and integration [integration].
- * @param {Object} obj
- * @param {String} obj.workspaceId - id of workspace
- * @param {String} obj.integration - name of integration (e.g. heroku)
- * @param {Object} obj.res - response from OAuth2 authorization server
- */
-const processOAuthTokenRes = async ({
-	workspaceId,
-	integration,
-	res
-}: {
-	workspaceId: string;
-	integration: string;
-	res: any;
-}): Promise<IIntegrationAuth> => {
-	let integrationAuth;
-	try {
-		// encrypt refresh + access tokens
-		const {
-			ciphertext: refreshCiphertext,
-			iv: refreshIV,
-			tag: refreshTag
-		} = encryptSymmetric({
-			plaintext: res.data.refresh_token,
-			key: ENCRYPTION_KEY
-		});
-
-		const {
-			ciphertext: accessCiphertext,
-			iv: accessIV,
-			tag: accessTag
-		} = encryptSymmetric({
-			plaintext: res.data.access_token,
-			key: ENCRYPTION_KEY
-		});
-
-		// compute access token expiration date
-		const accessExpiresAt = new Date();
-		accessExpiresAt.setSeconds(
-			accessExpiresAt.getSeconds() + res.data.expires_in
-		);
-
-		// create or replace integration authorization with encrypted tokens
-		// and access token expiration date
-		integrationAuth = await IntegrationAuth.findOneAndUpdate(
-			{ workspace: workspaceId, integration },
-			{
-				workspace: workspaceId,
-				integration,
-				refreshCiphertext,
-				refreshIV,
-				refreshTag,
-				accessCiphertext,
-				accessIV,
-				accessTag,
-				accessExpiresAt
-			},
-			{ upsert: true, new: true }
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error(
-			'Failed to process OAuth2 authorization server token response'
-		);
-	}
-
-	return integrationAuth;
-};
-
-/**
- * Return access token for integration either by decrypting a non-expired access token [accessCiphertext] on
- * the integration authorization document or by requesting a new one by decrypting and exchanging the
- * refresh token [refreshCiphertext] with the respective OAuth2 authorization server.
- * @param {Object} obj
- * @param {IIntegrationAuth} obj.integrationAuth - an integration authorization document
- * @returns {String} access token - new access token
- */
-const getOAuthAccessToken = async ({
-	integrationAuth
-}: {
-	integrationAuth: IIntegrationAuth;
-}) => {
-	let accessToken;
-	try {
-		const {
-			refreshCiphertext,
-			refreshIV,
-			refreshTag,
-			accessCiphertext,
-			accessIV,
-			accessTag,
-			accessExpiresAt
-		} = integrationAuth;
-
-		if (
-			refreshCiphertext &&
-			refreshIV &&
-			refreshTag &&
-			accessCiphertext &&
-			accessIV &&
-			accessTag &&
-			accessExpiresAt
-		) {
-			if (accessExpiresAt < new Date()) {
-				// case: access token expired
-				// TODO: fetch another access token
-
-				let clientSecret;
-				switch (integrationAuth.integration) {
-					case 'heroku':
-						clientSecret = OAUTH_CLIENT_SECRET_HEROKU;
-				}
-
-				// record new access token and refresh token
-				// encrypt refresh + access tokens
-				const refreshToken = decryptSymmetric({
-					ciphertext: refreshCiphertext,
-					iv: refreshIV,
-					tag: refreshTag,
-					key: ENCRYPTION_KEY
-				});
-
-				// TODO: make route compatible with other integration types
-				const res = await axios.post(
-					OAUTH_TOKEN_URL_HEROKU, // maybe shouldn't be a config variable?
-					new URLSearchParams({
-						grant_type: 'refresh_token',
-						refresh_token: refreshToken,
-						client_secret: clientSecret
-					} as any)
-				);
-
-				accessToken = res.data.access_token;
-
-				await processOAuthTokenRes({
-					workspaceId: integrationAuth.workspace.toString(),
-					integration: integrationAuth.integration,
-					res
-				});
-			} else {
-				// case: access token still works
-				accessToken = decryptSymmetric({
-					ciphertext: accessCiphertext,
-					iv: accessIV,
-					tag: accessTag,
-					key: ENCRYPTION_KEY
-				});
-			}
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to get OAuth2 access token');
-	}
-
-	return accessToken;
-};
-
-export { processOAuthTokenRes, getOAuthAccessToken };

backend/src/helpers/membership.ts

@@ -1,6 +1,52 @@
 import * as Sentry from '@sentry/node';
 import { Membership, Key } from '../models';
 
+/**
+ * Validate that user with id [userId] is a member of workspace with id [workspaceId]
+ * and has at least one of the roles in [acceptedRoles] and statuses in [acceptedStatuses]
+ * @param {Object} obj
+ * @param {String} obj.userId - id of user to validate
+ * @param {String} obj.workspaceId - id of workspace
+ */
+const validateMembership = async ({
+	userId,
+	workspaceId,
+	acceptedRoles,
+	acceptedStatuses
+}: {
+	userId: string;
+	workspaceId: string;
+	acceptedRoles: string[];
+	acceptedStatuses: string[];
+}) => {
+	
+	let membership;
+	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
+	try {
+		membership = await Membership.findOne({
+			user: userId,
+			workspace: workspaceId
+		});
+		
+		if (!membership) throw new Error('Failed to find membership');
+		
+		if (!acceptedRoles.includes(membership.role)) {
+			throw new Error('Failed to validate membership role');
+		}
+
+		if (!acceptedStatuses.includes(membership.status)) {
+			throw new Error('Failed to validate membership status');
+		}
+		
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to validate membership');
+	}
+	
+	return membership;
+}
+
 /**
  * Return membership matching criteria specified in query [queryObj]
  * @param {Object} queryObj - query object
@@ -97,4 +143,9 @@ const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
 	return deletedMembership;
 };
 
-export { addMemberships, findMembership, deleteMembership };
+export { 
+	validateMembership,
+	addMemberships, 
+	findMembership, 
+	deleteMembership 
+};

backend/src/helpers/nodemailer.ts

@@ -2,21 +2,10 @@ import fs from 'fs';
 import path from 'path';
 import handlebars from 'handlebars';
 import nodemailer from 'nodemailer';
-import { SMTP_HOST, SMTP_NAME, SMTP_USERNAME, SMTP_PASSWORD } from '../config';
+import { SMTP_FROM_NAME, SMTP_FROM_ADDRESS } from '../config';
+import * as Sentry from '@sentry/node';
 
-// create nodemailer transporter
-const transporter = nodemailer.createTransport({
-	host: SMTP_HOST,
-	port: 587,
-	auth: {
-		user: SMTP_USERNAME,
-		pass: SMTP_PASSWORD
-	}
-});
-transporter
-	.verify()
-	.then(() => console.log('SMTP - Successfully connected'))
-	.catch((err) => console.log('SMTP - Failed to connect'));
+let smtpTransporter: nodemailer.Transporter;
 
 /**
  * @param {Object} obj
@@ -26,33 +15,38 @@ transporter
  * @param {Object} obj.substitutions - object containing template substitutions
  */
 const sendMail = async ({
-	template,
-	subjectLine,
-	recipients,
-	substitutions
+  template,
+  subjectLine,
+  recipients,
+  substitutions
 }: {
-	template: string;
-	subjectLine: string;
-	recipients: string[];
-	substitutions: any;
+  template: string;
+  subjectLine: string;
+  recipients: string[];
+  substitutions: any;
 }) => {
-	try {
-		const html = fs.readFileSync(
-			path.resolve(__dirname, '../templates/' + template),
-			'utf8'
-		);
-		const temp = handlebars.compile(html);
-		const htmlToSend = temp(substitutions);
+  try {
+    const html = fs.readFileSync(
+      path.resolve(__dirname, '../templates/' + template),
+      'utf8'
+    );
+    const temp = handlebars.compile(html);
+    const htmlToSend = temp(substitutions);
 
-		await transporter.sendMail({
-			from: `"${SMTP_NAME}" <${SMTP_USERNAME}>`,
-			to: recipients.join(', '),
-			subject: subjectLine,
-			html: htmlToSend
-		});
-	} catch (err) {
-		console.error(err);
-	}
+    await smtpTransporter.sendMail({
+      from: `"${SMTP_FROM_NAME}" <${SMTP_FROM_ADDRESS}>`,
+      to: recipients.join(', '),
+      subject: subjectLine,
+      html: htmlToSend
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+  }
 };
 
-export { sendMail };
+const setTransporter = (transporter: nodemailer.Transporter) => {
+  smtpTransporter = transporter;
+};
+
+export { sendMail, setTransporter };

backend/src/helpers/rateLimiter.ts

@@ -2,34 +2,35 @@ import rateLimit from 'express-rate-limit';
 
 // 300 requests per 15 minutes
 const apiLimiter = rateLimit({
-	windowMs: 15 * 60 * 1000,
-	max: 400,
-	standardHeaders: true,
-	legacyHeaders: false
+  windowMs: 15 * 60 * 1000,
+  max: 400,
+  standardHeaders: true,
+  legacyHeaders: false,
+  skip: (request) => request.path === '/healthcheck'
 });
 
 // 5 requests per hour
 const signupLimiter = rateLimit({
-	windowMs: 60 * 60 * 1000,
-	max: 10,
-	standardHeaders: true,
-	legacyHeaders: false
+  windowMs: 60 * 60 * 1000,
+  max: 10,
+  standardHeaders: true,
+  legacyHeaders: false
 });
 
 // 10 requests per hour
 const loginLimiter = rateLimit({
-	windowMs: 60 * 60 * 1000,
-	max: 20,
-	standardHeaders: true,
-	legacyHeaders: false
+  windowMs: 60 * 60 * 1000,
+  max: 20,
+  standardHeaders: true,
+  legacyHeaders: false
 });
 
 // 5 requests per hour
 const passwordLimiter = rateLimit({
-	windowMs: 60 * 60 * 1000,
-	max: 10,
-	standardHeaders: true,
-	legacyHeaders: false
+  windowMs: 60 * 60 * 1000,
+  max: 10,
+  standardHeaders: true,
+  legacyHeaders: false
 });
 
 export { apiLimiter, signupLimiter, loginLimiter, passwordLimiter };

backend/src/helpers/secret.ts

@@ -1,10 +1,20 @@
 import * as Sentry from '@sentry/node';
 import {
 	Secret,
-	ISecret
+	ISecret,
 } from '../models';
+import {
+	EESecretService
+} from '../ee/services';
+import {
+	SecretVersion
+} from '../ee/models';
+import {
+	takeSecretSnapshotHelper
+} from '../ee/helpers/secret';
 import { decryptSymmetric } from '../utils/crypto';
 import { SECRET_SHARED, SECRET_PERSONAL } from '../variables';
+import { LICENSE_KEY } from '../config';
 
 interface PushSecret {
 	ciphertextKey: string;
@@ -19,7 +29,7 @@ interface PushSecret {
 }
 
 interface Update {
-	[index: string]: string;
+	[index: string]: any;
 }
 
 type DecryptSecretType = 'text' | 'object' | 'expanded';
@@ -46,6 +56,7 @@ const pushSecrets = async ({
 	environment: string;
 	secrets: PushSecret[];
 }): Promise<void> => {
+	// TODO: clean up function and fix up types
 	try {
 		// construct useful data structures
 		const oldSecrets = await pullSecrets({
@@ -53,74 +64,124 @@ const pushSecrets = async ({
 			workspaceId,
 			environment
 		});
-		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) => {
-			return { ...accumulator, [s.secretKeyHash]: s };
-		}, {});
-		const newSecretsObj = secrets.reduce((accumulator, s) => {
-			return { ...accumulator, [s.hashKey]: s };
-		}, {});
+		
+		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) => 
+			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
+		, {});
+		const newSecretsObj: any = secrets.reduce((accumulator, s) => 
+			({ ...accumulator, [`${s.type}-${s.hashKey}`]: s })
+		, {});
 
 		// handle deleting secrets
-		const toDelete = oldSecrets.filter(
-			(s: ISecret) => !(s.secretKeyHash in newSecretsObj)
-		);
+		const toDelete = oldSecrets
+			.filter(
+				(s: ISecret) => !(`${s.type}-${s.secretKeyHash}` in newSecretsObj)
+			)
+			.map((s) => s._id);
 		if (toDelete.length > 0) {
 			await Secret.deleteMany({
-				_id: { $in: toDelete.map((s) => s._id) }
+				_id: { $in: toDelete }
+			});
+			
+			await SecretVersion.updateMany({
+				secret: { $in: toDelete }
+			}, {
+				isDeleted: true
 			});
 		}
-
-		// handle modifying secrets where type or value changed
-		const operations = secrets
+		
+		const toUpdate = oldSecrets
 			.filter((s) => {
-				if (s.hashKey in oldSecretsObj) {
-					if (s.hashValue !== oldSecretsObj[s.hashKey].secretValueHash) {
+				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue) {
 						// case: filter secrets where value changed
 						return true;
 					}
 
-					if (s.type !== oldSecretsObj[s.hashKey].type) {
-						// case: filter secrets where type changed
+					if (!s.version) {
+						// case: filter (legacy) secrets that were not versioned
 						return true;
 					}
 				}
-
+				
 				return false;
-			})
+			});
+
+		const operations = toUpdate
 			.map((s) => {
+				const {
+					ciphertextValue,
+					ivValue,
+					tagValue,
+					hashValue
+				} = newSecretsObj[`${s.type}-${s.secretKeyHash}`];
+
 				const update: Update = {
-					type: s.type,
-					secretValueCiphertext: s.ciphertextValue,
-					secretValueIV: s.ivValue,
-					secretValueTag: s.tagValue,
-					secretValueHash: s.hashValue
-				};
+					secretValueCiphertext: ciphertextValue,
+					secretValueIV: ivValue,
+					secretValueTag: tagValue,
+					secretValueHash: hashValue
+				}
+
+				if (!s.version) {
+					// case: (legacy) secret was not versioned
+					update.version = 1;
+				} else {
+					update['$inc'] = {
+						version: 1
+					}
+				}
 
 				if (s.type === SECRET_PERSONAL) {
-					// attach user assocaited with the personal secret
+					// attach user associated with the personal secret
 					update['user'] = userId;
 				}
 
 				return {
 					updateOne: {
 						filter: {
-							workspace: workspaceId,
-							_id: oldSecretsObj[s.hashKey]._id
+							_id: oldSecretsObj[`${s.type}-${s.secretKeyHash}`]._id
 						},
 						update
 					}
 				};
 			});
-		const a = await Secret.bulkWrite(operations as any);
+		await Secret.bulkWrite(operations as any);
+		
+		// (EE) add secret versions for updated secrets
+		await EESecretService.addSecretVersions({
+			secretVersions: toUpdate.map(({
+				_id,
+				version,
+				type,
+				secretKeyHash,
+			}) => {
+				const newSecret = newSecretsObj[`${type}-${secretKeyHash}`];
+				return ({
+					secret: _id,
+					version: version ? version + 1 : 1,
+					isDeleted: false,
+					secretKeyCiphertext: newSecret.ciphertextKey,
+					secretKeyIV: newSecret.ivKey,
+					secretKeyTag: newSecret.tagKey,
+					secretKeyHash: newSecret.hashKey,
+					secretValueCiphertext: newSecret.ciphertextValue,
+					secretValueIV: newSecret.ivValue,
+					secretValueTag: newSecret.tagValue,
+					secretValueHash: newSecret.hashValue
+				})
+			}) 
+		});
 
 		// handle adding new secrets
-		const toAdd = secrets.filter((s) => !(s.hashKey in oldSecretsObj));
+		const toAdd = secrets.filter((s) => !(`${s.type}-${s.hashKey}` in oldSecretsObj));
 
 		if (toAdd.length > 0) {
 			// add secrets
-			await Secret.insertMany(
+			const newSecrets = await Secret.insertMany(
 				toAdd.map((s, idx) => {
-					let obj: any = {
+					const obj: any = {
+						version: 1,
 						workspace: workspaceId,
 						type: toAdd[idx].type,
 						environment,
@@ -141,7 +202,39 @@ const pushSecrets = async ({
 					return obj;
 				})
 			);
+
+			// (EE) add secret versions for new secrets
+			EESecretService.addSecretVersions({
+				secretVersions: newSecrets.map(({
+					_id,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash
+				}) => ({
+					secret: _id,
+					version: 1,
+					isDeleted: false,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash
+				}))
+			});
 		}
+		
+		// (EE) take a secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId
+		})
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@@ -295,6 +388,8 @@ const decryptSecrets = ({
 	return content;
 };
 
+
+
 export {
 	pushSecrets,
 	pullSecrets,

backend/src/helpers/signup.ts

@@ -33,7 +33,7 @@ const sendEmailVerification = async ({ email }: { email: string }) => {
 		// send mail
 		await sendMail({
 			template: 'emailVerification.handlebars',
-			subjectLine: 'Infisical workspace invitation',
+			subjectLine: 'Infisical confirmation code',
 			recipients: [email],
 			substitutions: {
 				code: token
@@ -66,7 +66,7 @@ const checkEmailVerification = async ({
 			email,
 			token: code
 		});
-
+	
 		if (!token) throw new Error('Failed to find email verification token');
 	} catch (err) {
 		Sentry.setUser(null);
@@ -106,7 +106,7 @@ const initializeDefaultOrg = async ({
 
 		// initialize a default workspace inside the new organization
 		const workspace = await createWorkspace({
-			name: `${user.firstName}'s Project`,
+			name: `Example Project`,
 			organizationId: organization._id.toString()
 		});
 

backend/src/helpers/workspace.ts

@@ -1,13 +1,16 @@
 import * as Sentry from '@sentry/node';
 import {
 	Workspace,
+	Bot,
 	Membership,
 	Key,
 	Secret
 } from '../models';
+import { createBot } from '../helpers/bot';
 
 /**
  * Create a workspace with name [name] in organization with id [organizationId]
+ * and a bot for it.
  * @param {String} name - name of workspace to create.
  * @param {String} organizationId - id of organization to create workspace in
  * @param {Object} workspace - new workspace
@@ -21,10 +24,16 @@ const createWorkspace = async ({
 }) => {
 	let workspace;
 	try {
+		// create workspace
 		workspace = await new Workspace({
 			name,
 			organization: organizationId
 		}).save();
+		
+		const bot = await createBot({
+			name: 'Infisical Bot',
+			workspaceId: workspace._id.toString()
+		});
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@@ -43,6 +52,9 @@ const createWorkspace = async ({
 const deleteWorkspace = async ({ id }: { id: string }) => {
 	try {
 		await Workspace.deleteOne({ _id: id });
+		await Bot.deleteOne({
+			workspace: id
+		});
 		await Membership.deleteMany({
 			workspace: id
 		});

backend/src/index.ts

@@ -1,91 +1,25 @@
-import express from 'express';
-import helmet from 'helmet';
-import cors from 'cors';
-import cookieParser from 'cookie-parser';
-import mongoose from 'mongoose';
 import dotenv from 'dotenv';
-
 dotenv.config();
+
 import * as Sentry from '@sentry/node';
-import { PORT, SENTRY_DSN, NODE_ENV, MONGO_URL, SITE_URL, POSTHOG_PROJECT_API_KEY, POSTHOG_HOST, TELEMETRY_ENABLED } from './config';
-import { apiLimiter } from './helpers/rateLimiter';
+import { SENTRY_DSN, NODE_ENV, MONGO_URL } from './config';
+import { server } from './app';
+import { initDatabase } from './services/database';
+import { setUpHealthEndpoint } from './services/health';
+import { initSmtp } from './services/smtp';
+import { setTransporter } from './helpers/nodemailer';
 
-const app = express();
+initDatabase(MONGO_URL);
 
-Sentry.init({
-	dsn: SENTRY_DSN,
-	tracesSampleRate: 1.0,
-	debug: NODE_ENV === 'production' ? false : true,
-	environment: NODE_ENV
-});
+setUpHealthEndpoint(server);
 
-import {
-	signup as signupRouter,
-	auth as authRouter,
-	organization as organizationRouter,
-	workspace as workspaceRouter,
-	membershipOrg as membershipOrgRouter,
-	membership as membershipRouter,
-	key as keyRouter,
-	inviteOrg as inviteOrgRouter,
-	user as userRouter,
-	userAction as userActionRouter,
-	secret as secretRouter,
-	serviceToken as serviceTokenRouter,
-	password as passwordRouter,
-	stripe as stripeRouter,
-	integration as integrationRouter,
-	integrationAuth as integrationAuthRouter
-} from './routes';
+setTransporter(initSmtp());
 
-const connectWithRetry = () => {
-	mongoose.connect(MONGO_URL)
-	.then(() => console.log('Successfully connected to DB'))
-	.catch((e) => {
-		console.log('Failed to connect to DB ', e);
-		setTimeout(() => {
-			console.log(e);
-		}, 5000);
-	});
+if (NODE_ENV !== 'test') {
+  Sentry.init({
+    dsn: SENTRY_DSN,
+    tracesSampleRate: 1.0,
+    debug: NODE_ENV === 'production' ? false : true,
+    environment: NODE_ENV
+  });
 }
-
-connectWithRetry();
-
-app.enable('trust proxy');
-app.use(cookieParser());
-app.use(cors({
-	credentials: true,
-	origin: SITE_URL
-}));
-
-if (NODE_ENV === 'production') {
-	// enable app-wide rate-limiting + helmet security
-	// in production
-	app.disable('x-powered-by');
-	app.use(apiLimiter);
-	app.use(helmet());
-}
-
-app.use(express.json());
-
-// routers
-app.use('/api/v1/signup', signupRouter);
-app.use('/api/v1/auth', authRouter);
-app.use('/api/v1/user', userRouter);
-app.use('/api/v1/user-action', userActionRouter);
-app.use('/api/v1/organization', organizationRouter);
-app.use('/api/v1/workspace', workspaceRouter);
-app.use('/api/v1/membership-org', membershipOrgRouter);
-app.use('/api/v1/membership', membershipRouter);
-app.use('/api/v1/key', keyRouter);
-app.use('/api/v1/invite-org', inviteOrgRouter);
-app.use('/api/v1/secret', secretRouter);
-app.use('/api/v1/service-token', serviceTokenRouter);
-app.use('/api/v1/password', passwordRouter);
-app.use('/api/v1/stripe', stripeRouter);
-app.use('/api/v1/integration', integrationRouter);
-app.use('/api/v1/integration-auth', integrationAuthRouter);
-
-app.listen(PORT, () => {
-	console.log('Listening on PORT ' + PORT);
-});

backend/src/integrations/apps.ts

@@ -0,0 +1,213 @@
+import axios from 'axios';
+import * as Sentry from '@sentry/node';
+import { Octokit } from '@octokit/rest';
+import { IIntegrationAuth } from '../models';
+import {
+  INTEGRATION_HEROKU,
+  INTEGRATION_VERCEL,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_GITHUB,
+  INTEGRATION_HEROKU_API_URL,
+  INTEGRATION_VERCEL_API_URL,
+  INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_GITHUB_API_URL
+} from '../variables';
+
+interface GitHubApp {
+  name: string;
+}
+
+/**
+ * Return list of names of apps for integration named [integration]
+ * @param {Object} obj
+ * @param {String} obj.integration - name of integration
+ * @param {String} obj.accessToken - access token for integration
+ * @returns {Object[]} apps - names of integration apps
+ * @returns {String} apps.name - name of integration app
+ */
+const getApps = async ({
+  integrationAuth,
+  accessToken
+}: {
+  integrationAuth: IIntegrationAuth;
+  accessToken: string;
+}) => {
+  interface App {
+    name: string;
+    siteId?: string;
+  }
+
+  let apps: App[]; // TODO: add type and define payloads for apps
+  try {
+    switch (integrationAuth.integration) {
+      case INTEGRATION_HEROKU:
+        apps = await getAppsHeroku({
+          accessToken
+        });
+        break;
+      case INTEGRATION_VERCEL:
+        apps = await getAppsVercel({
+          accessToken
+        });
+        break;
+      case INTEGRATION_NETLIFY:
+        apps = await getAppsNetlify({
+          integrationAuth,
+          accessToken
+        });
+        break;
+      case INTEGRATION_GITHUB:
+        apps = await getAppsGithub({
+          integrationAuth,
+          accessToken
+        });
+        break;
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get integration apps');
+  }
+
+  return apps;
+};
+
+/**
+ * Return list of names of apps for Heroku integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Heroku API
+ * @returns {Object[]} apps - names of Heroku apps
+ * @returns {String} apps.name - name of Heroku app
+ */
+const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
+  let apps;
+  try {
+    const res = (
+      await axios.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
+        headers: {
+          Accept: 'application/vnd.heroku+json; version=3',
+          Authorization: `Bearer ${accessToken}`
+        }
+      })
+    ).data;
+
+    apps = res.map((a: any) => ({
+      name: a.name
+    }));
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Heroku integration apps');
+  }
+
+  return apps;
+};
+
+/**
+ * Return list of names of apps for Vercel integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Vercel API
+ * @returns {Object[]} apps - names of Vercel apps
+ * @returns {String} apps.name - name of Vercel app
+ */
+const getAppsVercel = async ({ accessToken }: { accessToken: string }) => {
+  let apps;
+  try {
+    const res = (
+      await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        }
+      })
+    ).data;
+
+    apps = res.projects.map((a: any) => ({
+      name: a.name
+    }));
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Vercel integration apps');
+  }
+
+  return apps;
+};
+
+/**
+ * Return list of names of sites for Netlify integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Netlify API
+ * @returns {Object[]} apps - names of Netlify sites
+ * @returns {String} apps.name - name of Netlify site
+ */
+const getAppsNetlify = async ({
+  integrationAuth,
+  accessToken
+}: {
+  integrationAuth: IIntegrationAuth;
+  accessToken: string;
+}) => {
+  let apps;
+  try {
+    const res = (
+      await axios.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`
+        }
+      })
+    ).data;
+
+    apps = res.map((a: any) => ({
+      name: a.name,
+      siteId: a.site_id
+    }));
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Netlify integration apps');
+  }
+
+  return apps;
+};
+
+/**
+ * Return list of names of repositories for Github integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for Netlify API
+ * @returns {Object[]} apps - names of Netlify sites
+ * @returns {String} apps.name - name of Netlify site
+ */
+const getAppsGithub = async ({
+  integrationAuth,
+  accessToken
+}: {
+  integrationAuth: IIntegrationAuth;
+  accessToken: string;
+}) => {
+  let apps;
+  try {
+    const octokit = new Octokit({
+      auth: accessToken
+    });
+
+    const repos = (await octokit.request(
+      'GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}',
+      {}
+    )).data;
+
+    apps = repos
+      .filter((a:any) => a.permissions.admin === true)
+      .map((a: any) => ({
+          name: a.name
+        })
+      );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get Github repos');
+  }
+
+  return apps;
+};
+
+export { getApps };

backend/src/integrations/exchange.ts

@@ -0,0 +1,286 @@
+import axios from 'axios';
+import * as Sentry from '@sentry/node';
+import {
+  INTEGRATION_HEROKU,
+  INTEGRATION_VERCEL,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_GITHUB,
+  INTEGRATION_HEROKU_TOKEN_URL,
+  INTEGRATION_VERCEL_TOKEN_URL,
+  INTEGRATION_NETLIFY_TOKEN_URL,
+  INTEGRATION_GITHUB_TOKEN_URL,
+  INTEGRATION_GITHUB_API_URL
+} from '../variables';
+import {
+  SITE_URL,
+  CLIENT_ID_VERCEL,
+  CLIENT_ID_NETLIFY,
+  CLIENT_ID_GITHUB,
+  CLIENT_SECRET_HEROKU,
+  CLIENT_SECRET_VERCEL,
+  CLIENT_SECRET_NETLIFY,
+  CLIENT_SECRET_GITHUB
+} from '../config';
+import { user } from '../routes';
+
+interface ExchangeCodeHerokuResponse {
+  token_type: string;
+  access_token: string;
+  expires_in: number;
+  refresh_token: string;
+  user_id: string;
+  session_nonce?: string;
+}
+
+interface ExchangeCodeVercelResponse {
+  token_type: string;
+  access_token: string;
+  installation_id: string;
+  user_id: string;
+  team_id?: string;
+}
+
+interface ExchangeCodeNetlifyResponse {
+  access_token: string;
+  token_type: string;
+  refresh_token: string;
+  scope: string;
+  created_at: number;
+}
+
+interface ExchangeCodeGithubResponse {
+  access_token: string;
+  scope: string;
+  token_type: string;
+}
+
+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for OAuth2
+ * code-token exchange for integration named [integration]
+ * @param {Object} obj1
+ * @param {String} obj1.integration - name of integration
+ * @param {String} obj1.code - code for code-token exchange
+ * @returns {Object} obj
+ * @returns {String} obj.accessToken - access token for integration
+ * @returns {String} obj.refreshToken - refresh token for integration
+ * @returns {Date} obj.accessExpiresAt - date of expiration for access token
+ * @returns {String} obj.action - integration action for bot sequence
+ */
+const exchangeCode = async ({
+  integration,
+  code
+}: {
+  integration: string;
+  code: string;
+}) => {
+  let obj = {} as any;
+
+  try {
+    switch (integration) {
+      case INTEGRATION_HEROKU:
+        obj = await exchangeCodeHeroku({
+          code
+        });
+        break;
+      case INTEGRATION_VERCEL:
+        obj = await exchangeCodeVercel({
+          code
+        });
+        break;
+      case INTEGRATION_NETLIFY:
+        obj = await exchangeCodeNetlify({
+          code
+        });
+        break;
+      case INTEGRATION_GITHUB:
+        obj = await exchangeCodeGithub({
+          code
+        });
+        break;
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange');
+  }
+
+  return obj;
+};
+
+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for Heroku
+ * OAuth2 code-token exchange
+ * @param {Object} obj1
+ * @param {Object} obj1.code - code for code-token exchange
+ * @returns {Object} obj2
+ * @returns {String} obj2.accessToken - access token for Heroku API
+ * @returns {String} obj2.refreshToken - refresh token for Heroku API
+ * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
+ */
+const exchangeCodeHeroku = async ({
+    code
+}: {
+    code: string;
+}) => {
+    let res: ExchangeCodeHerokuResponse;
+    const accessExpiresAt = new Date();
+    try {
+        res = (await axios.post(
+            INTEGRATION_HEROKU_TOKEN_URL,
+            new URLSearchParams({
+				grant_type: 'authorization_code',
+				code: code,
+				client_secret: CLIENT_SECRET_HEROKU
+			} as any)
+        )).data;
+        
+        accessExpiresAt.setSeconds(
+            accessExpiresAt.getSeconds() + res.expires_in
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed OAuth2 code-token exchange with Heroku');
+    }
+    
+    return ({
+        accessToken: res.access_token,
+        refreshToken: res.refresh_token,
+        accessExpiresAt
+    });
+}
+
+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for Vercel
+ * code-token exchange
+ * @param {Object} obj1
+ * @param {Object} obj1.code - code for code-token exchange
+ * @returns {Object} obj2
+ * @returns {String} obj2.accessToken - access token for Heroku API
+ * @returns {String} obj2.refreshToken - refresh token for Heroku API
+ * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
+ */
+const exchangeCodeVercel = async ({ code }: { code: string }) => {
+  let res: ExchangeCodeVercelResponse;
+  try {
+    res = (
+      await axios.post(
+        INTEGRATION_VERCEL_TOKEN_URL,
+        new URLSearchParams({
+          code: code,
+          client_id: CLIENT_ID_VERCEL,
+          client_secret: CLIENT_SECRET_VERCEL,
+          redirect_uri: `${SITE_URL}/vercel`
+        } as any)
+      )
+    ).data;
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Vercel');
+  }
+
+  return {
+    accessToken: res.access_token,
+    refreshToken: null,
+    accessExpiresAt: null,
+    teamId: res.team_id
+  };
+};
+
+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for Vercel
+ * code-token exchange
+ * @param {Object} obj1
+ * @param {Object} obj1.code - code for code-token exchange
+ * @returns {Object} obj2
+ * @returns {String} obj2.accessToken - access token for Heroku API
+ * @returns {String} obj2.refreshToken - refresh token for Heroku API
+ * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
+ */
+const exchangeCodeNetlify = async ({ code }: { code: string }) => {
+  let res: ExchangeCodeNetlifyResponse;
+  let accountId;
+  try {
+    res = (
+      await axios.post(
+        INTEGRATION_NETLIFY_TOKEN_URL,
+        new URLSearchParams({
+          grant_type: 'authorization_code',
+          code: code,
+          client_id: CLIENT_ID_NETLIFY,
+          client_secret: CLIENT_SECRET_NETLIFY,
+          redirect_uri: `${SITE_URL}/netlify`
+        } as any)
+      )
+    ).data;
+
+    const res2 = await axios.get('https://api.netlify.com/api/v1/sites', {
+      headers: {
+        Authorization: `Bearer ${res.access_token}`
+      }
+    });
+
+    const res3 = (
+      await axios.get('https://api.netlify.com/api/v1/accounts', {
+        headers: {
+          Authorization: `Bearer ${res.access_token}`
+        }
+      })
+    ).data;
+
+    accountId = res3[0].id;
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Netlify');
+  }
+
+  return {
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accountId
+  };
+};
+
+/**
+ * Return [accessToken], [accessExpiresAt], and [refreshToken] for Github
+ * code-token exchange
+ * @param {Object} obj1
+ * @param {Object} obj1.code - code for code-token exchange
+ * @returns {Object} obj2
+ * @returns {String} obj2.accessToken - access token for Github API
+ * @returns {String} obj2.refreshToken - refresh token for Github API
+ * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
+ */
+const exchangeCodeGithub = async ({ code }: { code: string }) => {
+  let res: ExchangeCodeGithubResponse;
+  try {
+    res = (
+      await axios.get(INTEGRATION_GITHUB_TOKEN_URL, {
+        params: {
+          client_id: CLIENT_ID_GITHUB,
+          client_secret: CLIENT_SECRET_GITHUB,
+          code: code,
+          redirect_uri: `${SITE_URL}/github`
+        },
+        headers: {
+          Accept: 'application/json'
+        }
+      })
+    ).data;
+
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Github');
+  }
+
+  return {
+    accessToken: res.access_token,
+    refreshToken: null,
+    accessExpiresAt: null
+  };
+};
+
+export { exchangeCode };

backend/src/integrations/index.ts

@@ -0,0 +1,13 @@
+import { exchangeCode } from './exchange';
+import { exchangeRefresh } from './refresh';
+import { getApps } from './apps';
+import { syncSecrets } from './sync';
+import { revokeAccess } from './revoke';
+
+export {
+    exchangeCode,
+    exchangeRefresh,
+    getApps,
+    syncSecrets,
+    revokeAccess
+}

backend/src/integrations/refresh.ts

@@ -0,0 +1,77 @@
+import axios from 'axios';
+import * as Sentry from '@sentry/node';
+import { INTEGRATION_HEROKU } from '../variables';
+import {
+    CLIENT_SECRET_HEROKU
+} from '../config';
+import {
+    INTEGRATION_HEROKU_TOKEN_URL
+} from '../variables';
+
+/**
+ * Return new access token by exchanging refresh token [refreshToken] for integration
+ * named [integration]
+ * @param {Object} obj
+ * @param {String} obj.integration - name of integration
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for Heroku
+ */
+const exchangeRefresh = async ({
+  integration,
+  refreshToken
+}: {
+  integration: string;
+  refreshToken: string;
+}) => {
+  let accessToken;
+  try {
+    switch (integration) {
+      case INTEGRATION_HEROKU:
+        accessToken = await exchangeRefreshHeroku({
+          refreshToken
+        });
+        break;
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get new OAuth2 access token');
+  }
+
+  return accessToken;
+};
+
+/**
+ * Return new access token by exchanging refresh token [refreshToken] for the
+ * Heroku integration
+ * @param {Object} obj
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for Heroku
+ * @returns
+ */
+const exchangeRefreshHeroku = async ({
+  refreshToken
+}: {
+  refreshToken: string;
+}) => {
+    let accessToken;
+	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
+    try {
+        const res = await axios.post(
+            INTEGRATION_HEROKU_TOKEN_URL,
+            new URLSearchParams({
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                client_secret: CLIENT_SECRET_HEROKU
+            } as any)
+        );
+
+    accessToken = res.data.access_token;
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get new OAuth2 access token for Heroku');
+  }
+
+  return accessToken;
+};
+
+export { exchangeRefresh };

backend/src/integrations/revoke.ts

@@ -0,0 +1,47 @@
+import axios from 'axios';
+import * as Sentry from '@sentry/node';
+import { IIntegrationAuth, IntegrationAuth, Integration } from '../models';
+import {
+  INTEGRATION_HEROKU,
+  INTEGRATION_VERCEL,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_GITHUB
+} from '../variables';
+
+const revokeAccess = async ({
+  integrationAuth,
+  accessToken
+}: {
+  integrationAuth: IIntegrationAuth;
+  accessToken: string;
+}) => {
+  try {
+    // add any integration-specific revocation logic
+    switch (integrationAuth.integration) {
+      case INTEGRATION_HEROKU:
+        break;
+      case INTEGRATION_VERCEL:
+        break;
+      case INTEGRATION_NETLIFY:
+        break;
+      case INTEGRATION_GITHUB:
+        break;
+    }
+
+    const deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
+      _id: integrationAuth._id
+    });
+
+    if (deletedIntegrationAuth) {
+      await Integration.deleteMany({
+        integrationAuth: deletedIntegrationAuth._id
+      });
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to delete integration authorization');
+  }
+};
+
+export { revokeAccess };

backend/src/integrations/sync.ts

@@ -0,0 +1,605 @@
+import axios from 'axios';
+import * as Sentry from '@sentry/node';
+import { Octokit } from '@octokit/rest';
+// import * as sodium from 'libsodium-wrappers';
+import sodium from 'libsodium-wrappers';
+// const sodium = require('libsodium-wrappers');
+import { IIntegration, IIntegrationAuth } from '../models';
+import {
+  INTEGRATION_HEROKU,
+  INTEGRATION_VERCEL,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_GITHUB,
+  INTEGRATION_HEROKU_API_URL,
+  INTEGRATION_VERCEL_API_URL,
+  INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_GITHUB_API_URL
+} from '../variables';
+import { access, appendFile } from 'fs';
+
+// TODO: need a helper function in the future to handle integration
+// envar priorities (i.e. prioritize secrets within integration or those on Infisical)
+
+/**
+ * Sync/push [secrets] to [app] in integration named [integration]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
+ * @param {Object} obj.app - app in integration
+ * @param {Object} obj.target - (optional) target (environment) in integration
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ * @param {String} obj.accessToken - access token for integration
+ */
+const syncSecrets = async ({
+  integration,
+  integrationAuth,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  integrationAuth: IIntegrationAuth;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    switch (integration.integration) {
+      case INTEGRATION_HEROKU:
+        await syncSecretsHeroku({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
+      case INTEGRATION_VERCEL:
+        await syncSecretsVercel({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
+      case INTEGRATION_NETLIFY:
+        await syncSecretsNetlify({
+          integration,
+          integrationAuth,
+          secrets,
+          accessToken
+        });
+        break;
+      case INTEGRATION_GITHUB:
+        await syncSecretsGitHub({
+          integration,
+          secrets,
+          accessToken
+        });
+        break;
+    }
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to integration');
+  }
+};
+
+/**
+ * Sync/push [secrets] to Heroku [app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ */
+const syncSecretsHeroku = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    const herokuSecrets = (
+      await axios.get(
+        `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
+        {
+          headers: {
+            Accept: 'application/vnd.heroku+json; version=3',
+            Authorization: `Bearer ${accessToken}`
+          }
+        }
+      )
+    ).data;
+
+    Object.keys(herokuSecrets).forEach((key) => {
+      if (!(key in secrets)) {
+        secrets[key] = null;
+      }
+    });
+
+    await axios.patch(
+      `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
+      secrets,
+      {
+        headers: {
+          Accept: 'application/vnd.heroku+json; version=3',
+          Authorization: `Bearer ${accessToken}`
+        }
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to Heroku');
+  }
+};
+
+/**
+ * Sync/push [secrets] to Heroku [app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ */
+const syncSecretsVercel = async ({
+    integration,
+    secrets,
+    accessToken
+}: {
+    integration: IIntegration,
+    secrets: any;
+    accessToken: string;
+}) => {
+    
+    interface VercelSecret {
+        id?: string;
+        type: string;
+        key: string;
+        value: string;
+        target: string[];
+    }
+    
+    try {
+        // Get all (decrypted) secrets back from Vercel in
+        // decrypted format
+        const params = new URLSearchParams({
+            decrypt: "true"
+        });
+        
+        const res = (await Promise.all((await axios.get(
+            `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`, 
+            {
+                params,
+                headers: {
+                    Authorization: `Bearer ${accessToken}`
+                }
+            }
+        ))
+        .data
+        .envs
+        .filter((secret: VercelSecret) => secret.target.includes(integration.target))
+        .map(async (secret: VercelSecret) => (await axios.get(
+                `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+                {
+                    headers: {
+                        Authorization: `Bearer ${accessToken}`
+                    }
+                    
+                }
+            )).data)
+        )).reduce((obj: any, secret: any) => ({
+            ...obj,
+            [secret.key]: secret
+        }), {});
+        
+        const updateSecrets: VercelSecret[] = [];
+        const deleteSecrets: VercelSecret[] = [];
+        const newSecrets: VercelSecret[] = [];
+
+        // Identify secrets to create
+        Object.keys(secrets).map((key) => {
+            if (!(key in res)) {
+                // case: secret has been created
+                newSecrets.push({
+                    key: key,
+                    value: secrets[key],
+                    type: 'encrypted',
+                    target: [integration.target]
+                });
+            }
+        });
+        
+        // Identify secrets to update and delete
+        Object.keys(res).map((key) => {
+            if (key in secrets) {
+                if (res[key].value !== secrets[key]) {
+                    // case: secret value has changed
+                    updateSecrets.push({
+                        id: res[key].id,
+                        key: key,
+                        value: secrets[key],
+                        type: 'encrypted',
+                        target: [integration.target]
+                    });
+                }
+            } else {
+                // case: secret has been deleted
+                deleteSecrets.push({
+                    id: res[key].id,
+                    key: key,
+                    value: res[key].value,
+                    type: 'encrypted',
+                    target: [integration.target],
+                });
+            }
+        });
+
+        // Sync/push new secrets
+        if (newSecrets.length > 0) {
+            await axios.post(
+                `${INTEGRATION_VERCEL_API_URL}/v10/projects/${integration.app}/env`,
+                newSecrets,
+                {
+                    headers: {
+                        Authorization: `Bearer ${accessToken}`
+                    }
+                }
+            );
+        }
+
+        // Sync/push updated secrets
+        if (updateSecrets.length > 0) {
+            updateSecrets.forEach(async (secret: VercelSecret) => {
+                const { 
+                    id, 
+                    ...updatedSecret 
+                } = secret;
+                await axios.patch(
+                    `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+                    updatedSecret,
+                    {
+                        headers: {
+                            Authorization: `Bearer ${accessToken}` 
+                        }
+                    }
+                );
+            });
+        }
+
+        // Delete secrets
+        if (deleteSecrets.length > 0) {
+            deleteSecrets.forEach(async (secret: VercelSecret) => {
+                await axios.delete(
+                    `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
+                    {
+                        headers: {
+                            Authorization: `Bearer ${accessToken}`
+                        }
+                    }
+                );
+            });
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to sync secrets to Vercel');
+    }
+}
+
+/**
+ * Sync/push [secrets] to Netlify site [app]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ */
+const syncSecretsNetlify = async ({
+    integration,
+    integrationAuth,
+    secrets,
+    accessToken
+}: {
+    integration: IIntegration;
+    integrationAuth: IIntegrationAuth;
+    secrets: any;
+    accessToken: string;
+}) => {
+    try {
+
+        interface NetlifyValue {
+            id?: string;
+            context: string; // 'dev' | 'branch-deploy' | 'deploy-preview' | 'production',
+            value: string;
+        }
+        
+        interface NetlifySecret {
+            key: string;
+            values: NetlifyValue[];
+        }
+        
+        interface NetlifySecretsRes {
+            [index: string]: NetlifySecret;
+        }
+        
+        const getParams = new URLSearchParams({
+            context_name: 'all', // integration.context or all
+            site_id: integration.siteId
+        });
+        
+        const res = (await axios.get(
+            `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
+            {
+                params: getParams,
+                headers: {
+                    Authorization: `Bearer ${accessToken}`
+                }
+            }
+        ))
+        .data
+        .reduce((obj: any, secret: any) => ({
+            ...obj,
+            [secret.key]: secret
+        }), {});
+        
+        const newSecrets: NetlifySecret[] = []; // createEnvVars
+        const deleteSecrets: string[] = []; // deleteEnvVar
+        const deleteSecretValues: NetlifySecret[] = []; // deleteEnvVarValue
+        const updateSecrets: NetlifySecret[] = []; // setEnvVarValue
+
+        // identify secrets to create and update
+        Object.keys(secrets).map((key) => {
+            if (!(key in res)) {
+                // case: Infisical secret does not exist in Netlify -> create secret
+                newSecrets.push({
+                    key,
+                    values: [{
+                        value: secrets[key],
+                        context: integration.context
+                    }]
+                });
+            } else {
+                // case: Infisical secret exists in Netlify
+                const contexts = res[key].values
+                    .reduce((obj: any, value: NetlifyValue) => ({
+                        ...obj,
+                        [value.context]: value
+                    }), {});
+                
+                if (integration.context in contexts) {
+                    // case: Netlify secret value exists in integration context
+                    if (secrets[key] !== contexts[integration.context].value) {
+                        // case: Infisical and Netlify secret values are different
+                        // -> update Netlify secret context and value
+                        updateSecrets.push({
+                            key,
+                            values: [{
+                                context: integration.context,
+                                value: secrets[key]
+                            }]
+                        });
+                    }
+                } else {
+                    // case: Netlify secret value does not exist in integration context
+                    // -> add the new Netlify secret context and value
+                    updateSecrets.push({
+                        key,
+                        values: [{
+                            context: integration.context,
+                            value: secrets[key]
+                        }]
+                    });
+                }
+            }
+        })
+        
+        // identify secrets to delete
+        // TODO: revise (patch case where 1 context was deleted but others still there
+        Object.keys(res).map((key) => {
+            // loop through each key's context
+            if (!(key in secrets)) {
+                // case: Netlify secret does not exist in Infisical
+                
+                const numberOfValues = res[key].values.length;
+                
+                res[key].values.forEach((value: NetlifyValue) => {
+                    if (value.context === integration.context) {
+                        if (numberOfValues <= 1) {
+                            // case: Netlify secret value has less than 1 context -> delete secret
+                            deleteSecrets.push(key); 
+                        } else {
+                            // case: Netlify secret value has more than 1 context -> delete secret value context
+                            deleteSecretValues.push({
+                                key,
+                                values: [{
+                                    id: value.id,
+                                    context: integration.context,
+                                    value: value.value
+                                }]
+                            });
+                        }
+                    }
+                });
+            }
+        });
+
+        const syncParams = new URLSearchParams({
+            site_id: integration.siteId
+        });
+
+        if (newSecrets.length > 0) {
+            await axios.post(
+                `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
+                newSecrets,
+                {
+                    params: syncParams,
+                    headers: {
+                        Authorization: `Bearer ${accessToken}`
+                    }
+                }
+            );
+        }
+
+        if (updateSecrets.length > 0) {
+            updateSecrets.forEach(async (secret: NetlifySecret) => {
+                await axios.patch(
+                    `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}`,
+                    {
+                        context: secret.values[0].context,
+                        value: secret.values[0].value
+                    },
+                    {
+                        params: syncParams,
+                        headers: {
+                            Authorization: `Bearer ${accessToken}` 
+                        }
+                    }
+                );
+            });
+        }
+
+        if (deleteSecrets.length > 0) {
+            deleteSecrets.forEach(async (key: string) => {
+                await axios.delete(
+                    `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${key}`,
+                    {
+                        params: syncParams,
+                        headers: {
+                            Authorization: `Bearer ${accessToken}`
+                        }
+                    }
+                );
+            });
+        }
+
+        if (deleteSecretValues.length > 0) {
+            deleteSecretValues.forEach(async (secret: NetlifySecret) => {
+                await axios.delete(
+                    `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}/value/${secret.values[0].id}`,
+                    {
+                        params: syncParams,
+                        headers: {
+                            Authorization: `Bearer ${accessToken}`
+                        }
+                    }
+                );
+            });
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to sync secrets to Heroku');
+    }
+}
+
+/**
+ * Sync/push [secrets] to GitHub [repo]
+ * @param {Object} obj
+ * @param {IIntegration} obj.integration - integration details
+ * @param {IIntegrationAuth} obj.integrationAuth - integration auth details
+ * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
+ */
+const syncSecretsGitHub = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: IIntegration;
+  secrets: any;
+  accessToken: string;
+}) => {
+  try {
+    
+    interface GitHubRepoKey {
+      key_id: string;
+      key: string;
+    }
+    
+    interface GitHubSecret {
+      name: string;
+      created_at: string;
+      updated_at: string;
+    }
+
+    interface GitHubSecretRes {
+        [index: string]: GitHubSecret;
+    }
+
+    const deleteSecrets: GitHubSecret[] = [];
+
+    const octokit = new Octokit({
+      auth: accessToken
+    });
+
+    const user = (await octokit.request('GET /user', {})).data;
+    
+    const repoPublicKey: GitHubRepoKey = (await octokit.request(
+      'GET /repos/{owner}/{repo}/actions/secrets/public-key',
+      {
+        owner: user.login,
+        repo: integration.app
+      }
+    )).data;
+
+    // // Get local copy of decrypted secrets. We cannot decrypt them as we dont have access to GH private key
+    const encryptedSecrets: GitHubSecretRes = (await octokit.request(
+      'GET /repos/{owner}/{repo}/actions/secrets',
+      {
+        owner: user.login,
+        repo: integration.app
+      }
+    ))
+    .data
+    .secrets
+    .reduce((obj: any, secret: any) => ({
+      ...obj,
+      [secret.name]: secret
+    }), {});
+    
+    Object.keys(encryptedSecrets).map(async (key) => {
+      if (!(key in secrets)) {
+        await octokit.request(
+          'DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}',
+          {
+            owner: user.login,
+            repo: integration.app,
+            secret_name: key
+          }
+        );
+      }
+    });
+    
+    Object.keys(secrets).map((key) => {
+      // let encryptedSecret;
+      sodium.ready.then(async () => {
+          // convert secret & base64 key to Uint8Array.
+          const binkey = sodium.from_base64(
+            repoPublicKey.key,
+            sodium.base64_variants.ORIGINAL
+          );
+          const binsec = sodium.from_string(secrets[key]);
+
+          // encrypt secret using libsodium
+          const encBytes = sodium.crypto_box_seal(binsec, binkey);
+
+          // convert encrypted Uint8Array to base64
+          const encryptedSecret = sodium.to_base64(
+            encBytes,
+            sodium.base64_variants.ORIGINAL
+          );
+          
+          await octokit.request(
+            'PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}',
+            {
+              owner: user.login,
+              repo: integration.app,
+              secret_name: key,
+              encrypted_value: encryptedSecret,
+              key_id: repoPublicKey.key_id
+            }
+          );
+      });
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to sync secrets to GitHub');
+  }
+};
+
+export { syncSecrets };

backend/src/json/integrations.json

@@ -1,50 +0,0 @@
-{
-	"heroku": {
-		"name": "Heroku",
-		"type": "oauth2",
-		"clientId": "bc132901-935a-4590-b010-f1857efc380d",
-		"docsLink": ""
-	},
-	"netlify": {
-		"name": "Netlify",
-		"type": "oauth2",
-		"clientId": "",
-		"docsLink": ""
-	},
-	"digitalocean": {
-		"name": "Digital Ocean",
-		"type": "oauth2",
-		"clientId": "",
-		"docsLink": ""
-	},
-	"gcp": {
-		"name": "Google Cloud Platform",
-		"type": "oauth2",
-		"clientId": "",
-		"docsLink": ""
-	},
-	"aws": {
-		"name": "Amazon Web Services",
-		"type": "oauth2",
-		"clientId": "",
-		"docsLink": ""
-	},
-	"azure": {
-		"name": "Microsoft Azure",
-		"type": "oauth2",
-		"clientId": "",
-		"docsLink": ""
-	},
-	"travisci": {
-		"name": "Travis CI",
-		"type": "oauth2",
-		"clientId": "",
-		"docsLink": ""
-	},
-	"circleci": {
-		"name": "Circle CI",
-		"type": "oauth2",
-		"clientId": "",
-		"docsLink": ""
-	}
-}

backend/src/middleware/index.ts

@@ -1,4 +1,5 @@
 import requireAuth from './requireAuth';
+import requireBotAuth from './requireBotAuth';
 import requireSignupAuth from './requireSignupAuth';
 import requireWorkspaceAuth from './requireWorkspaceAuth';
 import requireOrganizationAuth from './requireOrganizationAuth';
@@ -9,6 +10,7 @@ import validateRequest from './validateRequest';
 
 export {
 	requireAuth,
+	requireBotAuth,
 	requireSignupAuth,
 	requireWorkspaceAuth,
 	requireOrganizationAuth,

backend/src/middleware/requestErrorHandler.ts

@@ -0,0 +1,29 @@
+import { ErrorRequestHandler } from "express";
+
+import * as Sentry from '@sentry/node';
+import { InternalServerError } from "../utils/errors";
+import { getLogger } from "../utils/logger";
+import RequestError, { LogLevel } from "../utils/requestError";
+
+
+export const requestErrorHandler: ErrorRequestHandler = (error: RequestError|Error, req, res, next) => {
+    if(res.headersSent) return next();
+    //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
+    if(!(error instanceof RequestError)){
+        error = InternalServerError({context: {exception: error.message}, stack: error.stack})
+        getLogger('backend-main').log((<RequestError>error).levelName.toLowerCase(), (<RequestError>error).message)
+    }
+    
+    //* Set Sentry user identification if req.user is populated
+    if(req.user !== undefined && req.user !== null){
+        Sentry.setUser({ email: req.user.email })
+    }
+    //* Only sent error to Sentry if LogLevel is one of the following level 'ERROR', 'EMERGENCY' or 'CRITICAL'
+    //* with this we will eliminate false-positive errors like 'BadRequestError', 'UnauthorizedRequestError' and so on
+    if([LogLevel.ERROR, LogLevel.EMERGENCY, LogLevel.CRITICAL].includes((<RequestError>error).level)){
+        Sentry.captureException(error)
+    }
+    
+    res.status((<RequestError>error).statusCode).json((<RequestError>error).format(req))
+    next()
+}

backend/src/middleware/requireAuth.ts

@@ -1,8 +1,8 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
-import * as Sentry from '@sentry/node';
 import { User } from '../models';
 import { JWT_AUTH_SECRET } from '../config';
+import { AccountNotFoundError, BadRequestError, UnauthorizedRequestError } from '../utils/errors';
 
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -20,32 +20,25 @@ declare module 'jsonwebtoken' {
  */
 const requireAuth = async (req: Request, res: Response, next: NextFunction) => {
 	// JWT authentication middleware
-	try {
-		if (!req.headers?.authorization)
-			throw new Error('Failed to locate authorization header');
+	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
+	if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
+	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
 
-		const token = req.headers.authorization.split(' ')[1];
-		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(token, JWT_AUTH_SECRET)
-		);
+	const decodedToken = <jwt.UserIDJwtPayload>(
+		jwt.verify(AUTH_TOKEN_VALUE, JWT_AUTH_SECRET)
+	);
 
-		const user = await User.findOne({
-			_id: decodedToken.userId
-		}).select('+publicKey');
+	const user = await User.findOne({
+		_id: decodedToken.userId
+	}).select('+publicKey');
 
-		if (!user) throw new Error('Failed to authenticate unfound user');
-		if (!user?.publicKey)
-			throw new Error('Failed to authenticate not fully set up account');
+	if (!user) return next(AccountNotFoundError({message: 'Failed to locate User account'}))
+	if (!user?.publicKey)
+		return next(UnauthorizedRequestError({message: 'Unable to authenticate due to partially set up account'}))
 
-		req.user = user;
-		return next();
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(401).send({
-			error: 'Failed to authenticate user. Try logging in'
-		});
-	}
+	req.user = user;
+	return next();
 };
 
 export default requireAuth;

backend/src/middleware/requireBotAuth.ts

@@ -0,0 +1,37 @@
+import { Request, Response, NextFunction } from 'express';
+import { Bot } from '../models';
+import { validateMembership } from '../helpers/membership';
+import { AccountNotFoundError } from '../utils/errors';
+
+type req = 'params' | 'body' | 'query';
+
+const requireBotAuth = ({
+    acceptedRoles,
+    acceptedStatuses,
+    location = 'params'
+}: {
+    acceptedRoles: string[];
+    acceptedStatuses: string[];
+    location?: req;
+}) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        const bot = await Bot.findOne({ _id: req[location].botId });
+        
+        if (!bot) {
+            return next(AccountNotFoundError({message: 'Failed to locate Bot account'}))
+        }
+        
+        await validateMembership({
+            userId: req.user._id.toString(),
+            workspaceId: bot.workspace.toString(),
+            acceptedRoles,
+            acceptedStatuses
+        });
+        
+        req.bot = bot;
+        
+        next();
+    }
+}
+
+export default requireBotAuth;

backend/src/middleware/requireIntegrationAuth.ts

@@ -1,7 +1,8 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response, NextFunction } from 'express';
-import { Integration, IntegrationAuth, Membership } from '../models';
-import { getOAuthAccessToken } from '../helpers/integrationAuth';
+import { Integration, IntegrationAuth } from '../models';
+import { IntegrationService } from '../services';
+import { validateMembership } from '../helpers/membership';
+import { IntegrationNotFoundError, UnauthorizedRequestError } from '../utils/errors';
 
 /**
  * Validate if user on request is a member of workspace with proper roles associated
@@ -20,56 +21,40 @@ const requireIntegrationAuth = ({
 	return async (req: Request, res: Response, next: NextFunction) => {
 		// integration authorization middleware
 
-		try {
-			const { integrationId } = req.params;
+		const { integrationId } = req.params;
 
-			// validate integration accessibility
-			const integration = await Integration.findOne({
-				_id: integrationId
-			});
+		// validate integration accessibility
+		const integration = await Integration.findOne({
+			_id: integrationId
+		});
 
-			if (!integration) {
-				throw new Error('Failed to find integration');
-			}
-
-			const membership = await Membership.findOne({
-				user: req.user._id,
-				workspace: integration.workspace
-			});
-
-			if (!membership) {
-				throw new Error('Failed to find integration workspace membership');
-			}
-
-			if (!acceptedRoles.includes(membership.role)) {
-				throw new Error('Failed to validate workspace membership role');
-			}
-
-			if (!acceptedStatuses.includes(membership.status)) {
-				throw new Error('Failed to validate workspace membership status');
-			}
-
-			const integrationAuth = await IntegrationAuth.findOne({
-				_id: integration.integrationAuth
-			}).select(
-				'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
-			);
-
-			if (!integrationAuth) {
-				throw new Error('Failed to find integration authorization');
-			}
-
-			req.integration = integration;
-			req.accessToken = await getOAuthAccessToken({ integrationAuth });
-
-			return next();
-		} catch (err) {
-			Sentry.setUser(null);
-			Sentry.captureException(err);
-			return res.status(401).send({
-				error: 'Failed integration authorization'
-			});
+		if (!integration) {
+			return next(IntegrationNotFoundError({message: 'Failed to locate Integration'}))
 		}
+		
+		await validateMembership({
+			userId: req.user._id.toString(),
+			workspaceId: integration.workspace.toString(),
+			acceptedRoles,
+			acceptedStatuses
+		});
+
+		const integrationAuth = await IntegrationAuth.findOne({
+			_id: integration.integrationAuth
+		}).select(
+			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
+		);
+
+		if (!integrationAuth) {
+			return next(UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'}))
+		}
+
+		req.integration = integration;
+		req.accessToken = await IntegrationService.getIntegrationAuthAccess({
+			integrationAuthId: integrationAuth._id.toString()
+		});
+
+		return next();
 	};
 };
 

backend/src/middleware/requireIntegrationAuthorizationAuth.ts

@@ -1,8 +1,9 @@
 import * as Sentry from '@sentry/node';
 import { Request, Response, NextFunction } from 'express';
-import { IntegrationAuth, Membership } from '../models';
-import { decryptSymmetric } from '../utils/crypto';
-import { getOAuthAccessToken } from '../helpers/integrationAuth';
+import { IntegrationAuth } from '../models';
+import { IntegrationService } from '../services';
+import { validateMembership } from '../helpers/membership';
+import { UnauthorizedRequestError } from '../utils/errors';
 
 /**
  * Validate if user on request is a member of workspace with proper roles associated
@@ -10,62 +11,45 @@ import { getOAuthAccessToken } from '../helpers/integrationAuth';
  * @param {Object} obj
  * @param {String[]} obj.acceptedRoles - accepted workspace roles
  * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
- * @param {Boolean} obj.attachRefresh - whether or not to decrypt and attach integration authorization refresh token onto request
+ * @param {Boolean} obj.attachAccessToken - whether or not to decrypt and attach integration authorization access token onto request
  */
 const requireIntegrationAuthorizationAuth = ({
 	acceptedRoles,
-	acceptedStatuses
+	acceptedStatuses,
+	attachAccessToken = true
 }: {
 	acceptedRoles: string[];
 	acceptedStatuses: string[];
+	attachAccessToken?: boolean;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		// (authorization) integration authorization middleware
+		const { integrationAuthId } = req.params;
 
-		try {
-			const { integrationAuthId } = req.params;
+		const integrationAuth = await IntegrationAuth.findOne({
+			_id: integrationAuthId
+		}).select(
+			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
+		);
 
-			const integrationAuth = await IntegrationAuth.findOne({
-				_id: integrationAuthId
-			}).select(
-				'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
-			);
+		if (!integrationAuth) {
+			return next(UnauthorizedRequestError({message: 'Failed to locate Integration Authorization credentials'}))
+		}
+		
+		await validateMembership({
+			userId: req.user._id.toString(),
+			workspaceId: integrationAuth.workspace.toString(),
+			acceptedRoles,
+			acceptedStatuses
+		});
 
-			if (!integrationAuth) {
-				throw new Error('Failed to find integration authorization');
-			}
-
-			const membership = await Membership.findOne({
-				user: req.user._id,
-				workspace: integrationAuth.workspace
-			});
-
-			if (!membership) {
-				throw new Error(
-					'Failed to find integration authorization workspace membership'
-				);
-			}
-
-			if (!acceptedRoles.includes(membership.role)) {
-				throw new Error('Failed to validate workspace membership role');
-			}
-
-			if (!acceptedStatuses.includes(membership.status)) {
-				throw new Error('Failed to validate workspace membership status');
-			}
-
-			req.integrationAuth = integrationAuth;
-
-			// TODO: make compatible with other integration types since they won't necessarily have access tokens
-			req.accessToken = await getOAuthAccessToken({ integrationAuth });
-			return next();
-		} catch (err) {
-			Sentry.setUser(null);
-			Sentry.captureException(err);
-			return res.status(401).send({
-				error: 'Failed (authorization) integration authorizationt'
+		req.integrationAuth = integrationAuth;
+		if (attachAccessToken) {
+			req.accessToken = await IntegrationService.getIntegrationAuthAccess({
+				integrationAuthId: integrationAuth._id.toString()
 			});
 		}
+		
+		return next();
 	};
 };
 

backend/src/middleware/requireOrganizationAuth.ts

@@ -1,6 +1,6 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response, NextFunction } from 'express';
 import { IOrganization, MembershipOrg } from '../models';
+import { UnauthorizedRequestError, ValidationError } from '../utils/errors';
 
 /**
  * Validate if user on request is a member with proper roles for organization
@@ -19,35 +19,28 @@ const requireOrganizationAuth = ({
 	return async (req: Request, res: Response, next: NextFunction) => {
 		// organization authorization middleware
 
-		try {
-			// validate organization membership
-			const membershipOrg = await MembershipOrg.findOne({
-				user: req.user._id,
-				organization: req.params.organizationId
-			}).populate<{ organization: IOrganization }>('organization');
+		// validate organization membership
+		const membershipOrg = await MembershipOrg.findOne({
+			user: req.user._id,
+			organization: req.params.organizationId
+		}).populate<{ organization: IOrganization }>('organization');
 
-			if (!membershipOrg) {
-				throw new Error('Failed to find organization membership');
-			}
 
-			if (!acceptedRoles.includes(membershipOrg.role)) {
-				throw new Error('Failed to validate organization membership role');
-			}
-
-			if (!acceptedStatuses.includes(membershipOrg.status)) {
-				throw new Error('Failed to validate organization membership status');
-			}
-
-			req.membershipOrg = membershipOrg;
-
-			return next();
-		} catch (err) {
-			Sentry.setUser(null);
-			Sentry.captureException(err);
-			return res.status(401).send({
-				error: 'Failed organization authorization'
-			});
+		if (!membershipOrg) {
+			return next(UnauthorizedRequestError({message: "You're not a member of this Organization."}))
 		}
+		//TODO is this important to validate? I mean is it possible to save wrong role to database or get wrong role from databse? - Zamion101
+		if (!acceptedRoles.includes(membershipOrg.role)) {
+			return next(ValidationError({message: 'Failed to validate Organization Membership Role'}))
+		}
+
+		if (!acceptedStatuses.includes(membershipOrg.status)) {
+			return next(ValidationError({message: 'Failed to validate Organization Membership Status'}))
+		}
+
+		req.membershipOrg = membershipOrg;
+
+		return next();
 	};
 };
 

backend/src/middleware/requireServiceTokenAuth.ts

@@ -1,8 +1,8 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
-import * as Sentry from '@sentry/node';
 import { ServiceToken } from '../models';
 import { JWT_SERVICE_SECRET } from '../config';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
 
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -24,33 +24,27 @@ const requireServiceTokenAuth = async (
 	next: NextFunction
 ) => {
 	// JWT service token middleware
-	try {
-		if (!req.headers?.authorization)
-			throw new Error('Failed to locate authorization header');
+	
+	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
+	//TODO: Determine what is the actual Token Type for Service Token Authentication (ex. Bearer)
+	//if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(UnauthorizedRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
+	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
 
-		const token = req.headers.authorization.split(' ')[1];
+	const decodedToken = <jwt.UserIDJwtPayload>(
+		jwt.verify(AUTH_TOKEN_VALUE, JWT_SERVICE_SECRET)
+	);
 
-		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(token, JWT_SERVICE_SECRET)
-		);
+	const serviceToken = await ServiceToken.findOne({
+		_id: decodedToken.serviceTokenId
+	})
+		.populate('user', '+publicKey')
+		.select('+encryptedKey +publicKey +nonce');
 
-		const serviceToken = await ServiceToken.findOne({
-			_id: decodedToken.serviceTokenId
-		})
-			.populate('user', '+publicKey')
-			.select('+encryptedKey +publicKey +nonce');
+	if (!serviceToken) return next(UnauthorizedRequestError({message: 'The service token does not match the record in the database'}))
 
-		if (!serviceToken) throw new Error('Failed to find service token');
-
-		req.serviceToken = serviceToken;
-		return next();
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(401).send({
-			error: 'Failed to authenticate service token'
-		});
-	}
+	req.serviceToken = serviceToken;
+	return next();
 };
 
 export default requireServiceTokenAuth;

backend/src/middleware/requireSignupAuth.ts

@@ -1,8 +1,8 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
-import * as Sentry from '@sentry/node';
 import { User } from '../models';
 import { JWT_SIGNUP_SECRET } from '../config';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
 
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@@ -21,32 +21,24 @@ const requireSignupAuth = async (
 ) => {
 	// JWT (temporary) authentication middleware for complete signup
 
-	try {
-		if (!req.headers?.authorization)
-			throw new Error('Failed to locate authorization header');
+	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
+	if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
+	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
+	
+	const decodedToken = <jwt.UserIDJwtPayload>(
+		jwt.verify(AUTH_TOKEN_VALUE, JWT_SIGNUP_SECRET)
+	);
 
-		const token = req.headers.authorization.split(' ')[1];
-		const decodedToken = <jwt.UserIDJwtPayload>(
-			jwt.verify(token, JWT_SIGNUP_SECRET)
-		);
+	const user = await User.findOne({
+		_id: decodedToken.userId
+	}).select('+publicKey');
 
-		const user = await User.findOne({
-			_id: decodedToken.userId
-		}).select('+publicKey');
+	if (!user)
+		return next(UnauthorizedRequestError({message: 'Unable to authenticate for User account completion. Try logging in again'}))
 
-		if (!user)
-			throw new Error('Failed to temporarily authenticate unfound user');
-
-		req.user = user;
-		return next();
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(401).send({
-			error:
-				'Failed to temporarily authenticate user for complete account. Try logging in'
-		});
-	}
+	req.user = user;
+	return next();
 };
 
 export default requireSignupAuth;

backend/src/middleware/requireWorkspaceAuth.ts

@@ -1,6 +1,6 @@
-import * as Sentry from '@sentry/node';
 import { Request, Response, NextFunction } from 'express';
-import { Membership, IWorkspace } from '../models';
+import { validateMembership } from '../helpers/membership';
+import { UnauthorizedRequestError } from '../utils/errors';
 
 type req = 'params' | 'body' | 'query';
 
@@ -25,34 +25,18 @@ const requireWorkspaceAuth = ({
 		// workspace authorization middleware
 
 		try {
-			// validate workspace membership
-
-			const membership = await Membership.findOne({
-				user: req.user._id,
-				workspace: req[location].workspaceId
-			}).populate<{ workspace: IWorkspace }>('workspace');
-
-			if (!membership) {
-				throw new Error('Failed to find workspace membership');
-			}
-
-			if (!acceptedRoles.includes(membership.role)) {
-				throw new Error('Failed to validate workspace membership role');
-			}
-
-			if (!acceptedStatuses.includes(membership.status)) {
-				throw new Error('Failed to validate workspace membership status');
-			}
+			const membership = await validateMembership({
+				userId: req.user._id.toString(),
+				workspaceId: req[location].workspaceId,
+				acceptedRoles,
+				acceptedStatuses
+			});
 
 			req.membership = membership;
 
 			return next();
 		} catch (err) {
-			Sentry.setUser(null);
-			Sentry.captureException(err);
-			return res.status(401).send({
-				error: 'Failed workspace authorization'
-			});
+			return next(UnauthorizedRequestError({message: 'Unable to authenticate workspace'}))
 		}
 	};
 };

backend/src/middleware/validateRequest.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
-import * as Sentry from '@sentry/node';
 import { validationResult } from 'express-validator';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
 
 /**
  * Validate intended inputs on [req] via express-validator
@@ -15,16 +15,12 @@ const validate = (req: Request, res: Response, next: NextFunction) => {
 	try {
 		const errors = validationResult(req);
 		if (!errors.isEmpty()) {
-			return res.status(400).json({ errors: errors.array() });
+			return next(BadRequestError({context: {errors: errors.array}}))
 		}
 
 		return next();
 	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(401).send({
-			error: "Looks like you're unauthenticated . Try logging in"
-		});
+		return next(UnauthorizedRequestError({message: 'Unauthenticated requests are not allowed. Try logging in'}))
 	}
 };
 

backend/src/models/bot.ts

@@ -0,0 +1,57 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface IBot {
+	_id: Types.ObjectId;
+    name: string;
+    workspace: Types.ObjectId;
+    isActive: boolean;
+    publicKey: string;
+    encryptedPrivateKey: string;
+    iv: string;
+    tag: string;
+}
+
+const botSchema = new Schema<IBot>(
+	{
+        name: {
+            type: String,
+            required: true
+        },
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace',
+            required: true
+        },
+        isActive: {
+            type: Boolean,
+            required: true,
+            default: false
+        },
+        publicKey: {
+            type: String,
+            required: true
+        },
+        encryptedPrivateKey: {
+            type: String,
+            required: true,
+            select: false
+        },
+        iv: {
+            type: String,
+            required: true,
+            select: false
+        },
+        tag: {
+            type: String,
+            required: true,
+            select: false
+        }
+	},
+	{
+		timestamps: true
+	}
+);
+
+const Bot = model<IBot>('Bot', botSchema);
+
+export default Bot;

backend/src/models/botKey.ts

@@ -0,0 +1,45 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface IBotKey {
+	_id: Types.ObjectId;
+	encryptedKey: string;
+	nonce: string;
+	sender: Types.ObjectId;
+	bot: Types.ObjectId;
+	workspace: Types.ObjectId;
+}
+
+const botKeySchema = new Schema<IBotKey>(
+	{
+		encryptedKey: {
+			type: String,
+			required: true
+		},
+		nonce: {
+			type: String,
+			required: true
+		},
+		sender: {
+			type: Schema.Types.ObjectId,
+			ref: 'User',
+			required: true
+		},
+		bot: {
+			type: Schema.Types.ObjectId,
+			ref: 'Bot',
+			required: true
+		},
+		workspace: {
+			type: Schema.Types.ObjectId,
+			ref: 'Workspace',
+			required: true
+		}
+	},
+	{
+		timestamps: true
+	}
+);
+
+const BotKey = model<IBotKey>('BotKey', botKeySchema);
+
+export default BotKey;

backend/src/models/index.ts

@@ -1,4 +1,6 @@
 import BackupPrivateKey, { IBackupPrivateKey } from './backupPrivateKey';
+import Bot, { IBot } from './bot';
+import BotKey, { IBotKey } from './botKey';
 import IncidentContactOrg, { IIncidentContactOrg } from './incidentContactOrg';
 import Integration, { IIntegration } from './integration';
 import IntegrationAuth, { IIntegrationAuth } from './integrationAuth';
@@ -16,6 +18,10 @@ import Workspace, { IWorkspace } from './workspace';
 export {
 	BackupPrivateKey,
 	IBackupPrivateKey,
+	Bot,
+	IBot,
+	BotKey,
+	IBotKey,
 	IncidentContactOrg,
 	IIncidentContactOrg,
 	Integration,

backend/src/models/integration.ts

@@ -1,59 +1,83 @@
 import { Schema, model, Types } from 'mongoose';
 import {
-	ENV_DEV,
-	ENV_TESTING,
-	ENV_STAGING,
-	ENV_PROD,
-	INTEGRATION_HEROKU,
-	INTEGRATION_NETLIFY
+  ENV_DEV,
+  ENV_TESTING,
+  ENV_STAGING,
+  ENV_PROD,
+  INTEGRATION_HEROKU,
+  INTEGRATION_VERCEL,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_GITHUB
 } from '../variables';
 
 export interface IIntegration {
-	_id: Types.ObjectId;
-	workspace: Types.ObjectId;
-	environment: 'dev' | 'test' | 'staging' | 'prod';
-	isActive: boolean;
-	app: string;
-	integration: 'heroku' | 'netlify';
-	integrationAuth: Types.ObjectId;
+  _id: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: 'dev' | 'test' | 'staging' | 'prod';
+  isActive: boolean;
+  app: string;
+  target: string;
+  context: string;
+  siteId: string;
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github';
+  integrationAuth: Types.ObjectId;
 }
 
 const integrationSchema = new Schema<IIntegration>(
-	{
-		workspace: {
-			type: Schema.Types.ObjectId,
-			ref: 'Workspace',
-			required: true
-		},
-		environment: {
-			type: String,
-			enum: [ENV_DEV, ENV_TESTING, ENV_STAGING, ENV_PROD],
-			required: true
-		},
-		isActive: {
-			type: Boolean,
-			required: true
-		},
-		app: {
-			// name of app in provider
-			type: String,
-			default: null,
-			required: true
-		},
-		integration: {
-			type: String,
-			enum: [INTEGRATION_HEROKU, INTEGRATION_NETLIFY],
-			required: true
-		},
-		integrationAuth: {
-			type: Schema.Types.ObjectId,
-			ref: 'IntegrationAuth',
-			required: true
-		}
-	},
-	{
-		timestamps: true
-	}
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: 'Workspace',
+      required: true
+    },
+    environment: {
+      type: String,
+      enum: [ENV_DEV, ENV_TESTING, ENV_STAGING, ENV_PROD],
+      required: true
+    },
+    isActive: {
+      type: Boolean,
+      required: true
+    },
+    app: {
+      // name of app in provider
+      type: String,
+      default: null
+    },
+    target: {
+      // vercel-specific target (environment)
+      type: String,
+      default: null
+    },
+    context: {
+      // netlify-specific context (deploy)
+      type: String,
+      default: null
+    },
+    siteId: {
+      // netlify-specific site (app) id
+      type: String,
+      default: null
+    },
+    integration: {
+      type: String,
+      enum: [
+        INTEGRATION_HEROKU,
+        INTEGRATION_VERCEL,
+        INTEGRATION_NETLIFY,
+        INTEGRATION_GITHUB
+      ],
+      required: true
+    },
+    integrationAuth: {
+      type: Schema.Types.ObjectId,
+      ref: 'IntegrationAuth',
+      required: true
+    }
+  },
+  {
+    timestamps: true
+  }
 );
 
 const Integration = model<IIntegration>('Integration', integrationSchema);

backend/src/models/integrationAuth.ts

@@ -1,67 +1,87 @@
 import { Schema, model, Types } from 'mongoose';
-import { INTEGRATION_HEROKU, INTEGRATION_NETLIFY } from '../variables';
+import {
+  INTEGRATION_HEROKU,
+  INTEGRATION_VERCEL,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_GITHUB
+} from '../variables';
 
 export interface IIntegrationAuth {
-	_id: Types.ObjectId;
-	workspace: Types.ObjectId;
-	integration: 'heroku' | 'netlify';
-	refreshCiphertext?: string;
-	refreshIV?: string;
-	refreshTag?: string;
-	accessCiphertext?: string;
-	accessIV?: string;
-	accessTag?: string;
-	accessExpiresAt?: Date;
+  _id: Types.ObjectId;
+  workspace: Types.ObjectId;
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github';
+  teamId: string;
+  accountId: string;
+  refreshCiphertext?: string;
+  refreshIV?: string;
+  refreshTag?: string;
+  accessCiphertext?: string;
+  accessIV?: string;
+  accessTag?: string;
+  accessExpiresAt?: Date;
 }
 
 const integrationAuthSchema = new Schema<IIntegrationAuth>(
-	{
-		workspace: {
-			type: Schema.Types.ObjectId,
-			required: true
-		},
-		integration: {
-			type: String,
-			enum: [INTEGRATION_HEROKU, INTEGRATION_NETLIFY],
-			required: true
-		},
-		refreshCiphertext: {
-			type: String,
-			select: false
-		},
-		refreshIV: {
-			type: String,
-			select: false
-		},
-		refreshTag: {
-			type: String,
-			select: false
-		},
-		accessCiphertext: {
-			type: String,
-			select: false
-		},
-		accessIV: {
-			type: String,
-			select: false
-		},
-		accessTag: {
-			type: String,
-			select: false
-		},
-		accessExpiresAt: {
-			type: Date,
-			select: false
-		}
-	},
-	{
-		timestamps: true
-	}
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      required: true
+    },
+    integration: {
+      type: String,
+      enum: [
+        INTEGRATION_HEROKU,
+        INTEGRATION_VERCEL,
+        INTEGRATION_NETLIFY,
+        INTEGRATION_GITHUB
+      ],
+      required: true
+    },
+    teamId: {
+      // vercel-specific integration param
+      type: String
+    },
+    accountId: {
+      // netlify-specific integration param
+      type: String
+    },
+    refreshCiphertext: {
+      type: String,
+      select: false
+    },
+    refreshIV: {
+      type: String,
+      select: false
+    },
+    refreshTag: {
+      type: String,
+      select: false
+    },
+    accessCiphertext: {
+      type: String,
+      select: false
+    },
+    accessIV: {
+      type: String,
+      select: false
+    },
+    accessTag: {
+      type: String,
+      select: false
+    },
+    accessExpiresAt: {
+      type: Date,
+      select: false
+    }
+  },
+  {
+    timestamps: true
+  }
 );
 
 const IntegrationAuth = model<IIntegrationAuth>(
-	'IntegrationAuth',
-	integrationAuthSchema
+  'IntegrationAuth',
+  integrationAuthSchema
 );
 
 export default IntegrationAuth;

backend/src/models/secret.ts

@@ -10,6 +10,7 @@ import {
 
 export interface ISecret {
 	_id: Types.ObjectId;
+	version: number;
 	workspace: Types.ObjectId;
 	type: string;
 	user: Types.ObjectId;
@@ -26,6 +27,10 @@ export interface ISecret {
 
 const secretSchema = new Schema<ISecret>(
 	{
+		version: {
+			type: Number,
+			required: true
+		},
 		workspace: {
 			type: Schema.Types.ObjectId,
 			ref: 'Workspace',

backend/src/models/token.ts

@@ -2,25 +2,30 @@ import { Schema, model } from 'mongoose';
 import { EMAIL_TOKEN_LIFETIME } from '../config';
 
 export interface IToken {
-	email: String;
-	token: String;
-	createdAt: Date;
+  email: string;
+  token: string;
+  createdAt: Date;
 }
 
 const tokenSchema = new Schema<IToken>({
-	email: {
-		type: String,
-		required: true
-	},
-	token: {
-		type: String,
-		required: true
-	},
-	createdAt: {
-		type: Date,
-		expires: EMAIL_TOKEN_LIFETIME,
-		default: Date.now
-	}
+  email: {
+    type: String,
+    required: true
+  },
+  token: {
+    type: String,
+    required: true
+  },
+  createdAt: {
+    type: Date,
+    default: Date.now
+  }
+});
+
+tokenSchema.index({ 
+  createdAt: 1 
+}, { 
+  expireAfterSeconds: parseInt(EMAIL_TOKEN_LIFETIME) 
 });
 
 const Token = model<IToken>('Token', tokenSchema);

backend/src/routes/auth.ts

@@ -5,28 +5,24 @@ import { requireAuth, validateRequest } from '../middleware';
 import { authController } from '../controllers';
 import { loginLimiter } from '../helpers/rateLimiter';
 
+router.post('/token', validateRequest, authController.getNewToken);
+
 router.post(
-	'/token',
-	validateRequest,
-	authController.getNewToken
+  '/login1',
+  loginLimiter,
+  body('email').exists().trim().notEmpty(),
+  body('clientPublicKey').exists().trim().notEmpty(),
+  validateRequest,
+  authController.login1
 );
 
 router.post(
-	'/login1',
-	loginLimiter,
-	body('email').exists().trim().notEmpty(),
-	body('clientPublicKey').exists().trim().notEmpty(),
-	validateRequest,
-	authController.login1
-);
-
-router.post(
-	'/login2',
-	loginLimiter,
-	body('email').exists().trim().notEmpty(),
-	body('clientProof').exists().trim().notEmpty(),
-	validateRequest,
-	authController.login2
+  '/login2',
+  loginLimiter,
+  body('email').exists().trim().notEmpty(),
+  body('clientProof').exists().trim().notEmpty(),
+  validateRequest,
+  authController.login2
 );
 
 router.post('/logout', requireAuth, authController.logout);

backend/src/routes/bot.ts

@@ -0,0 +1,38 @@
+import express from 'express';
+const router = express.Router();
+import { body, param } from 'express-validator';
+import {
+    requireAuth,
+    requireBotAuth,
+    requireWorkspaceAuth,
+    validateRequest
+} from '../middleware';
+import { botController } from '../controllers';
+import { ADMIN, MEMBER, COMPLETED, GRANTED } from '../variables';
+
+router.get(
+    '/:workspaceId',
+	requireAuth,
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		acceptedStatuses: [COMPLETED, GRANTED]
+	}),
+    param('workspaceId').exists().trim().notEmpty(),
+    validateRequest,
+    botController.getBotByWorkspaceId
+);
+
+router.patch(
+    '/:botId/active',
+    requireAuth,
+    requireBotAuth({
+		acceptedRoles: [ADMIN, MEMBER],
+		acceptedStatuses: [COMPLETED, GRANTED]
+    }),
+    body('isActive').isBoolean(),
+    body('botKey'),
+    validateRequest,
+    botController.setBotActiveState
+);
+
+export default router;

backend/src/routes/index.ts

@@ -1,4 +1,5 @@
 import signup from './signup';
+import bot from './bot';
 import auth from './auth';
 import user from './user';
 import userAction from './userAction';
@@ -18,6 +19,7 @@ import integrationAuth from './integrationAuth';
 export {
 	signup,
 	auth,
+	bot,
 	user,
 	userAction,
 	organization,

backend/src/routes/integration.ts

@@ -9,22 +9,6 @@ import { ADMIN, MEMBER, GRANTED } from '../variables';
 import { body, param } from 'express-validator';
 import { integrationController } from '../controllers';
 
-router.get('/integrations', requireAuth, integrationController.getIntegrations);
-
-router.post(
-	'/:integrationId/sync',
-	requireAuth,
-	requireIntegrationAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		acceptedStatuses: [GRANTED]
-	}),
-	param('integrationId').exists().trim(),
-	body('key').exists(),
-	body('secrets').exists(),
-	validateRequest,
-	integrationController.syncIntegration
-);
-
 router.patch(
 	'/:integrationId',
 	requireAuth,
@@ -32,10 +16,15 @@ router.patch(
 		acceptedRoles: [ADMIN, MEMBER],
 		acceptedStatuses: [GRANTED]
 	}),
-	param('integrationId'),
-	body('update'),
+	param('integrationId').exists().trim(),
+	body('app').exists().trim(),
+	body('environment').exists().trim(),
+	body('isActive').exists().isBoolean(),
+	body('target').exists(),
+	body('context').exists(),
+	body('siteId').exists(),
 	validateRequest,
-	integrationController.modifyIntegration
+	integrationController.updateIntegration
 );
 
 router.delete(
@@ -45,7 +34,7 @@ router.delete(
 		acceptedRoles: [ADMIN, MEMBER],
 		acceptedStatuses: [GRANTED]
 	}),
-	param('integrationId'),
+	param('integrationId').exists().trim(),
 	validateRequest,
 	integrationController.deleteIntegration
 );

backend/src/routes/integrationAuth.ts

@@ -10,6 +10,12 @@ import {
 import { ADMIN, MEMBER, GRANTED } from '../variables';
 import { integrationAuthController } from '../controllers';
 
+router.get(
+	'/integration-options',
+	requireAuth,
+	integrationAuthController.getIntegrationOptions
+);
+
 router.post(
 	'/oauth-token',
 	requireAuth,
@@ -22,7 +28,7 @@ router.post(
 	body('code').exists().trim().notEmpty(),
 	body('integration').exists().trim().notEmpty(),
 	validateRequest,
-	integrationAuthController.integrationAuthOauthExchange
+	integrationAuthController.oAuthExchange
 );
 
 router.get(
@@ -42,7 +48,8 @@ router.delete(
 	requireAuth,
 	requireIntegrationAuthorizationAuth({
 		acceptedRoles: [ADMIN, MEMBER],
-		acceptedStatuses: [GRANTED]
+		acceptedStatuses: [GRANTED],
+		attachAccessToken: false
 	}),
 	param('integrationAuthId'),
 	validateRequest,

backend/src/routes/key.ts

@@ -34,6 +34,4 @@ router.get(
 	keyController.getLatestKey
 );
 
-router.get('/publicKey/infisical', keyController.getPublicKeyInfisical);
-
 export default router;

backend/src/routes/password.ts

@@ -1,7 +1,7 @@
 import express from 'express';
 const router = express.Router();
 import { body } from 'express-validator';
-import { requireAuth, validateRequest } from '../middleware';
+import { requireAuth, requireSignupAuth, validateRequest } from '../middleware';
 import { passwordController } from '../controllers';
 import { passwordLimiter } from '../helpers/rateLimiter';
 
@@ -27,6 +27,30 @@ router.post(
 	passwordController.changePassword
 );
 
+router.post(
+	'/email/password-reset',
+	passwordLimiter,
+	body('email').exists().trim().notEmpty(),
+	validateRequest,
+	passwordController.emailPasswordReset
+);
+
+router.post(
+	'/email/password-reset-verify',
+	passwordLimiter,
+	body('email').exists().trim().notEmpty().isEmail(),
+	body('code').exists().trim().notEmpty(),
+	validateRequest,
+	passwordController.emailPasswordResetVerify
+);
+
+router.get(
+	'/backup-private-key',
+	passwordLimiter,
+	requireSignupAuth,
+	passwordController.getBackupPrivateKey
+);
+
 router.post(
 	'/backup-private-key',
 	passwordLimiter,
@@ -41,4 +65,16 @@ router.post(
 	passwordController.createBackupPrivateKey
 );
 
-export default router;
+router.post(
+	'/password-reset',
+	requireSignupAuth,
+	body('encryptedPrivateKey').exists().trim().notEmpty(), // private key encrypted under new pwd
+	body('iv').exists().trim().notEmpty(), // new iv for private key
+	body('tag').exists().trim().notEmpty(), // new tag for private key 
+	body('salt').exists().trim().notEmpty(), // part of new pwd
+	body('verifier').exists().trim().notEmpty(), // part of new pwd
+	validateRequest,
+	passwordController.resetPassword
+);
+
+export default router;

backend/src/routes/secret.ts

@@ -7,8 +7,8 @@ import {
 	validateRequest
 } from '../middleware';
 import { body, query, param } from 'express-validator';
-import { ADMIN, MEMBER, COMPLETED, GRANTED } from '../variables';
 import { secretController } from '../controllers';
+import { ADMIN, MEMBER, COMPLETED, GRANTED } from '../variables';
 
 router.post(
 	'/:workspaceId',